Authentication Bypass Vulnerability
Description
Critical Alert – May 2024 - CVE-2024-4358
- Telerik Report Server 2024 Q1 (10.0.24.305) and earlier.
Issue
CWE-290 Authentication Bypass by Spoofing
What Are the Impacts
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
It is important to review your Report Server’s users list for any new Local users you have not added at {host}/Users/Index
.
Solution
Updating to Report Server 2024 Q2 (10.1.24.514) or later is the only way to remove this vulnerability. The Progress Telerik team strongly recommends performing an upgrade to the latest version listed in the table below.
Current Version | Guidance |
---|---|
2024 Q1 (10.0.24.305) | Update to 2024 Q2 (10.1.24.514) (update instructions) |
Temporary Mitigation
If upgrading your Report Server instance(s) is not an immediate option, we strongly recommend that you promptly implement a URL Rewrite mitigation technique to remove the attack surface in IIS:
- The URL Rewrite IIS module is required for this mitigation. If you do not already have it installed, you may download it from here (relaunch IIS Manager after installtion).
- Open IIS Manager and select the Telerik Report Server site.
- Select the URL Rewrite module (see screenshot below for this view).
- Click “Add Rules”
- Choose a ‘Request Blocking’ rule.
- For “Block Access Based On”, select “URL Path”
- For “Pattern”, enter the value: startup/register
- Click OK to save and activate the rule.
Do not add a URL Rewrite rule until after Report Server has been fully installed and configured, as this rule blocks traffic to the initial setup functionality.
Notes
- All customers who have a Telerik Report Server license can access the downloads here Product Downloads | Your Account.
- If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to Telerik customers with an active support plan.
External References
CVE-2024-4358 (CRITICAL)
CVSS: 9.8
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
Credit: "Sina Kheirkhah of Summoning Team working with Trend Micro Zero Day Initiative"