Progress Software's latest security advisory warns customers about the second critical vulnerability targeting its Telerik Report Server in as many months.
CVE-2024-6327 is an insecure deserialization vulnerability (CWE-502) carrying a 9.9 CVSS score. Successful exploits can lead to remote code execution (RCE) on servers running all versions prior to 10.1.24.709.
These are the kinds of bugs that in an ideal world should be fixed in double quick time, but you should pay special attention to this one in particular because of attackers' history with this type of vulnerability in this suite of products.
Some of you may remember CVE-2019-18935, another deserialization of untrusted data vulnerability affecting Telerik UI for ASP.NET AJAX. It was used by multiple attackers including an unspecified Advanced Persistent Threat (APT) group to successfully target US federal agencies in 2023, despite being added to CISA's Known Exploited Vulnerability (KEV) catalog in 2021.
In a security advisory, CISA said the agency's vulnerability scanner had the plugin to detect CVE-2019-18935, but didn't pick up on the exploit because Telerik UI was installed in an atypical file path – a reality it said was likely to be the same for many users.
Although the APT wasn't specified, CVE-2019-18935 is a known favorite of Chinese attackers. The bulk of the malicious behavior involved reconnaissance and scanning, CISA said.
- Batten down the hatches, it's time to patch some more MOVEit bugs
- One year on, universities org admits MOVEit attack hit data of 800K people
- MOVEit victim count latest: 2.6K+ orgs hit, 77M+ people's data stolen
- MOVEit cybercriminals unearth fresh zero-day to exploit on-prem SysAid hosts
The disclosure of the vulnerability makes it the second near-maximum severity bug in Telerik Report Server in as many months. In late May, 9.8-rated CVE-2024-4358 was also discovered – an authentication bypass bug that allows attackers to make themselves admin users.
Sina Kheirkhah, security researcher at Summoning Team, discovered the flaw and demonstrated how it could be chained with yet another deserialization of untrusted data bug (CVE-2024-1800) in Telerik Report Server from April to achieve full RCE.
Double trouble
Progress also disclosed a second vulnerability, CVE-2024-6096, affecting Telerik Reporting – its .NET embedded reporting tool.
Carrying an 8.8 CVSS score, it's not quite in the critical category but definitely severe enough that you'll want to do something about it.
It's an insecure type resolution vulnerability that could lead to RCE via an object injection attack if exploited.
Versions 18.1.24.514 and older are all affected and upgrading to 18.1.24.709 is the only way of removing the vulnerability – there is no mitigation available, Progress said. ®