Tech Stack:
- Affected Technology: Progress Telerik Report Server running on IIS.
Date(s) Issued:
- Published Date: May 29, 2024
- Last Modified Date: November 21, 2024
Criticality:
- CVSS Score: 9.8 CRITICAL
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Interpretation: This score indicates that the vulnerability is easily exploitable by unauthenticated attackers over the network, leading to complete compromise of confidentiality, integrity, and availability.
Overview:
CVE-2024-4358 is an authentication bypass vulnerability in Progress Telerik Report Server versions 2024 Q1 (10.0.24.305) and earlier. An unauthenticated attacker can exploit this vulnerability to gain unauthorized access to restricted functionalities of the Report Server.
Solution/Mitigation:
Upgrade:
- Recommended Action: Upgrade to Progress Telerik Report Server version 2024 Q2 (10.1.24.514) or later. This version addresses the authentication bypass vulnerability.
- Upgrade Instructions: Follow the official upgrade guide provided by Progress Telerik. docs.telerik.com
Temporary Mitigation:
If immediate upgrading is not feasible, implement the following temporary measure to mitigate the vulnerability:
- URL Rewrite Rule in IIS:
- Install URL Rewrite Module: Ensure the URL Rewrite module is installed in IIS. If not, download and install it from the official Microsoft website.Configure Request Blocking:
- Open IIS Manager and select the Telerik Report Server site.Navigate to the “URL Rewrite” module.Click on “Add Rules” and choose “Request Blocking.”Set “Block access based on” to “URL Path.”Enter the pattern
startup/registerto block unauthorized access attempts.Save the rule to activate it.
- Open IIS Manager and select the Telerik Report Server site.Navigate to the “URL Rewrite” module.Click on “Add Rules” and choose “Request Blocking.”Set “Block access based on” to “URL Path.”Enter the pattern
- Install URL Rewrite Module: Ensure the URL Rewrite module is installed in IIS. If not, download and install it from the official Microsoft website.Configure Request Blocking:
Confirmation & Additional Information:
Verification:
- Post-Upgrade:
- Verify the installed version to ensure the upgrade was successful.
- Review the Report Server’s user list for any unauthorized accounts at
{host}/Users/Index.
- Post-Mitigation:
- Test the URL rewrite rule to confirm it effectively blocks unauthorized access attempts.
Ongoing Updates:
- Regularly monitor official advisories from Progress Telerik for any further updates or patches related to CVE-2024-4358.
