Summary: Progress Software has issued a security advisory regarding four critical vulnerabilities in the Telerik Report Server, which could lead to severe security risks for organizations. These vulnerabilities include credential stuffing, brute-force attacks, Denial-of-Service, and a critical code execution flaw, necessitating immediate updates to the software.
Threat Actor: Cybercriminals | cybercriminals
Victim: Organizations using Telerik Report Server | organizations using Telerik Report Server
Key Point :
- Four vulnerabilities identified: CVE-2024-7292, CVE-2024-7293, CVE-2024-7294, and CVE-2024-8015.
- CVE-2024-8015 has a CVSS score of 9.1, allowing complete control over the Report Server.
- Progress Software recommends immediate updates to version 10.2.24.924 to mitigate risks.
- Temporary mitigation includes changing the Application Pool user to one with limited permissions for those unable to update immediately.
Progress Software has released an important security advisory addressing four newly discovered vulnerabilities in their powerful Telerik Report Server, a tool widely used for embedding reporting functionality into web, desktop, and cloud applications. These vulnerabilities, ranging from credential stuffing and brute force attacks to a critical code execution flaw pose serious risks to organizations using the tool.
The vulnerabilities, identified as CVE-2024-7292, CVE-2024-7293, CVE-2024-7294, and CVE-2024-8015, affect Telerik Report Server versions prior to 2024 Q3 (10.2.24.924). These flaws could allow attackers to:
- Perform credential stuffing attacks: Exploit a lack of login attempt restrictions (CVE-2024-7292).
- Conduct brute-force attacks against user passwords: Due to weak password requirements (CVE-2024-7293).
- Launch Denial-of-Service (DoS) attacks: By targeting anonymous endpoints without rate limiting (CVE-2024-7294).
- Execute arbitrary code on the server: Through an insecure type resolution vulnerability (CVE-2024-8015).
The most severe of these vulnerabilities, CVE-2024-8015, carries a CVSS score of 9.1 and could allow attackers to gain complete control of the Report Server.
Progress Software has urged all users to update their Report Server deployments to the latest version (10.2.24.924) immediately.
For users unable to immediately update to the patched version, Progress Software recommends the following temporary mitigation for CVE-2024-8015:
- Change the Report Server’s Application Pool user to one with limited permissions. This will restrict the potential damage an attacker could inflict if they successfully exploit the vulnerability. Detailed instructions on how to implement this mitigation can be found in the Progress Knowledge Base article “How To Change IIS User for Report Server.”