Progress warns of critical RCE bug in Telerik Report Server

by · BleepingComputer

Image: Midjourney

Progress Software has warned customers to patch a critical remote code execution security flaw in the Telerik Report Server that can be used to compromise vulnerable devices.

As a server-based reporting platform, Telerik Report Server provides centralized storage for reports and the tools needed to create, deploy, deliver, and manage them across an organization.

Tracked as CVE-2024-6327, the vulnerability is due to a deserialization of untrusted data weakness that attackers can exploit to gain remote code execution on unpatched servers.

The vulnerability impacts Report Server 2024 Q2 (10.1.24.514) and earlier and was patched in version 2024 Q2 (10.1.24.709).

"Updating to Report Server 2024 Q2 (10.1.24.709) or later is the only way to remove this vulnerability," the business software maker warned in a Wednesday advisory. "The Progress Telerik team strongly recommends performing an upgrade to the latest version."

Admins can check if their servers are vulnerable to attacks by going through these steps:

  1. Go to your Report Server web UI and log in using an account with administrator rights
  2. Open the Configuration page (~/Configuration/Index).
  3. Select the About tab and the version number will be displayed in the pane on the right.

Progress also provides temporary mitigation measures for those who can't immediately upgrade their devices to the latest release.

This requires changing the Report Server Application Pool user to one with limited permissions. Those who don't already have a procedure for creating IIS users and assigning App Pool can follow the information in this Progress support document.

Older Telerik flaws under attack

While Progress has yet to share if CVE-2024-6327 has been exploited in the wild, other Telerik vulnerabilities have been under attack in recent years.

For instance, in 2022, a U.S. federal agency's Microsoft Internet Information Services (IIS) web server was hacked by exploiting the CVE-2019-18935 critical Progress Telerik UI vulnerability, which is included in the FBI's list of top targeted vulnerabilities and the NSA's top 25 security bugs abused by Chinese hackers.

According to a joint advisory from CISA, the FBI, and MS-ISAC, at least two threat groups (one of them the Vietnamese XE Group) breached the vulnerable server.

During the breach, they deployed multiple malware payloads and collected and exfiltrated information while maintaining access to the compromised network between November 2022 and early January 2023.

More recently, security researchers developed and released a proof-of-concept (PoC) exploit targeting remote code execution on Telerik Report servers by chaining a critical authentication bypass flaw (CVE-2024-4358) and a high-severity RCE (CVE-2024-1800).