Legacy Installer Vulnerability

Description

• Telerik Reporting - Windows Installer component v18 and older.

Root Cause

In Telerik Reporting versions R3 2023 SP1 (17.2.23.1114) and older, it is possible for a bad actor, who already has preexisting access to the Windows user’s local account, to gain elevated permissions using the legacy installer.

During initial installation of Telerik Reporting, the user must always approve the UAC prompt for the installer to obtain elevated permissions to complete the installation. However, if the product has already been installed, the installer could be abused to execute commands at a higher privilege than the current user.

Solution

Update Telerik Reporting to the latest version, 2024 Q1 (18.0.24.130) or later. Installing the update will replace the legacy installer, removing the avenue of attack.

Notes

• We would like to thank the Lockheed Martin Red Team for their professionalism, completeness, and responsible disclosure.

• Relevance:

  • This issue does not affect Telerik Reporting itself; it is specific to the Windows installer only.
  • This does not affect other avenues of installation; NuGet packages, manual installation, or loose DLLs.

• Viability: In order to perform this attack, it is required that:

  • The attacker must already have gained access to your system via some other method.
  • The product must have been installed using the legacy Windows installer.

External References

CVE-2024-0832 (HIGH)

CVSS: 7.8

In Telerik Reporting versions prior to 2024 Q1, a privilege elevation vulnerability has been identified in the applications installer component. In an environment where an existing Telerik Reporting install is present, a lower privileged user has the ability to manipulate the installation package to elevate their privileges on the underlying operating system.

Discoverer Credit: HackerOne - Lockheed Martin Red Team.