Progress-owned Telerik Report Server addressed two vulnerabilities in its system, which were associated with Authentication bypass and Insecure Deserialization. To add a note, the uncertain deserialization was labeled as 9.9 (Critical) rather than 8.8 (High), which was the initial severity of the vulnerability.
However, the Authentication bypass had a severity of 9.8 (Critical), which permitted danger actors to avoid authentication on the involved structures of the Progress Software Telerik Reporting. The CVEs for these vulnerabilities were assigned as CVE-2024-4358 (Authentication Bypass) and CVE-2024-1800 (Insecure Deserialization of Untrusted Data showing to Remote Code Execution). Moreover, investigators have found a new method to incorporate both of these vulnerabilities, which could make a system manager account for involved installations.
In this technical analysis, we focus on CVE-2024-4358 and CVE-2024-1800
According to the news transmitted, this vulnerability existed due to the “Register” strategy, which is available unauthenticated and can use accepted parameters to form a user with “system administrator” rights. It was also said that this vulnerability reached the newly announced ConnectWise ScreenConnect Authentication bypass vulnerability, which lets unauthenticated users make a system administrator account on involved structures.
Nevertheless, this exposure existed as there was no statement to stop unauthenticated users from accessing this endpoint after setting up the Telerik Report Server. In addition, once certified into the server, a danger actor can use the deserialization of an untrusted data vulnerability to gain full Tiny code performance on the concerned server.
In addition, once certified into the server, a danger actor can use the deserialization of an untrusted data vulnerability to gain full Tiny code performance on the concerned server. Moreover, evidence of the idea for this vulnerability has also been publicized.
Investigators who found this vulnerability also said that the Telerik Report server processes all of the data on the server flank. Also, the server reporting segment was the initial stage of research, which led to many other techniques and procedures.
Telerik news server uses the IsSupportedExtension technique which replaces real only if the attachment of the file is either .trdp or .trbp which is then entitled to shoot Unpackagedocument where all the array of bytes are transformed to reasonably understood .NET MemoryStream. Also, the unconfident deserialization happens in ReportXmlSerializer (), which has the vulnerable Deserialize () constructor. The Summoning Team has issued full information about this vulnerability and an illustration of its functions.
In complement to this, experimenters have posted evidence of image code on GitHub. It is advised that users of the Progress Telerik Report Server boost their software to the latest interpretations to control hazard actors from manipulating these vulnerabilities.