The Digital Security Authority (DSA) wants to bring to your attention, a Remote Code Execution (RCE) chain vulnerability in the Progress Telerik Report Server that allows an attacker to bypass authentication controls and execute arbitrary code on the server.

Technical Details

The Progress Telerik Report Server has been found to be vulnerable to a pre-authenticated remote code execution (RCE) chain, consisting of an authentication bypass vulnerability (CVE-2024-4358) and a deserialization issue (CVE-2024-1800).

Vulnerability Details:

• CVE-2024-4358 [9.8 Critical] - In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
• CVE-2024-1800 [9.9 Critical] - In Progress Telerik Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability.

Patched Version:
Update to 2024 Q2 (10.1.24.514)

Recommendations

The Digital Security Authority recommends updating the affected versions to the fixed or latest versions released for Progress Telerik Report Server.

References

1. https://nvd.nist.gov/vuln/detail/CVE-2024-1800
2. https://nvd.nist.gov/vuln/detail/CVE-2024-4358

The information presented in this report is based on available data up to the 04^th of June 2024.