CVE-2024-1800
published 2024-03-20CVE-2024-1800: In Progress® Telerik® Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization…
PriorityP178high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
40.38%
98.5th percentile
In Progress® Telerik® Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| progress | telerik_report_server | < 10.0.24.130 | 10.0.24.130 |
| progress_software_corporation | telerik_report_server | >= 1.00 < 2024 Q1 (10.0.24.130) | 2024 Q1 (10.0.24.130) |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Telerik Deserialization Attempt - POST to Vulnerable Path with Specific Extension (CVE-2024-1800)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/reportserver/report"; endswith; fast_pattern; http.request_body; content:"|22|reportName|22|"; content:"|22|reportContent|22|"; content:"|22|extension|22|"; pcre:"/^[^\x22]+\x22\.tr(d|b)p\x22/Ri"; reference:cve,2024-1800; classtype:attempted-admin; sid:2053448; rev:1; metadata:attack_target Server, created_at 2024_06_11, cve CVE_2024_1800, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Look for unauthenticated POST requests to /Startup/Register — this endpoint should not be accessible post-setup and its use indicates exploitation of the auth bypass (CVE-2024-4358) chained with CVE-2024-1800. ↗
- →Detect POST requests to /api/reportserver/report with a body containing 'reportName', 'reportContent', 'extension', and a filename ending in .trdp or .trbp — this matches the malicious report upload used for deserialization RCE. ↗
- →Inspect XML payloads sent to the Report Server for 'ResourceDictionary' and 'ObjectDataProvider' elements, which are the key indicators of the deserialization exploit payload. ↗
- →Review the Report Server users list at '{host}/Users/Index' for unrecognized Local users — rogue admin accounts created via the auth bypass will appear here. ↗
- →Use the Shodan query 'title:"Log in | Telerik Report Server"' to identify internet-exposed Report Server instances for asset inventory and exposure assessment. ↗
- →The Metasploit module targets Report Server version 10.0.24.130 and prior; flag any such version string observed in HTTP response headers or banners as a high-priority patching target. ↗
- ·The Metasploit module will automatically delete the crafted report after exploitation but will NOT delete the rogue admin account it creates, leaving a persistent backdoor account on the system. ↗
- ·A temporary mitigation (short of patching) is to change the Report Server Application Pool user to one with limited permissions, which reduces the blast radius of exploitation but does not remove the vulnerability. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Possible Telerik Deserialization Attempt - POST to Vulnerable Path with Specific Extension (CVE-2024-1800)
suricata·2024-06-11·CVSS 9.9
CVE-2024-1800 [CRITICAL] ET EXPLOIT Possible Telerik Deserialization Attempt - POST to Vulnerable Path with Specific Extension (CVE-2024-1800)
ET EXPLOIT Possible Telerik Deserialization Attempt - POST to Vulnerable Path with Specific Extension (CVE-2024-1800)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Telerik Deserialization Attempt - POST to Vulnerable Path with Specific Extension (CVE-2024-1800)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/reportserver/report"; endswith; fast_pattern; http.request_body; content:"|22|reportName|22|"; content:"|22|reportContent|22|"; content:"|22|extension|22|"; pcre:"/^[^\x22]+\x22\.tr(d|b)p\x22/Ri"; reference:cve,2024-1800; classtype:attempted-admin; sid:2053448; rev:1; metadata:attack_target Server, created_at 2024_06_11, cve CVE_2024_1800, deployment Perimeter, deployment Internal, confidence High, signature_seve
Suricata
ET WEB_SPECIFIC_APPS Fortigate FortiOS Invalid HTTP Chunk Length Out of Bounds Write Remote Code Execution Attempt (CVE-2024-21762) - Heap Manipulation
suricata·2024-03-22·CVSS 9.8
CVE-2024-21762 [CRITICAL] ET WEB_SPECIFIC_APPS Fortigate FortiOS Invalid HTTP Chunk Length Out of Bounds Write Remote Code Execution Attempt (CVE-2024-21762) - Heap Manipulation
ET WEB_SPECIFIC_APPS Fortigate FortiOS Invalid HTTP Chunk Length Out of Bounds Write Remote Code Execution Attempt (CVE-2024-21762) - Heap Manipulation
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Fortigate FortiOS Invalid HTTP Chunk Length Out of Bounds Write Remote Code Execution Attempt (CVE-2024-21762) - Heap Manipulation"; flow:established,to_server; stream_size:client,>,1800; http.method; content:"POST"; http.uri; content:"/remote/"; http.request_body; content:"/bin/node|25 30 30|"; fast_pattern; content:"|2d|e|25 30 30|"; within:20; threshold:type limit, track by_src, count 1, seconds 60; reference:cve,2024-21762; reference:url,www.assetnote.io/resources/research/two-bytes-is-plenty-fortigate-rce-with-cve-2024-21762; classtype:trojan-activity; sid:
Nuclei
Progress Telerik Report Server - Authentication Bypass
nuclei·CVSS 9.8
CVE-2024-4358 [CRITICAL] Progress Telerik Report Server - Authentication Bypass
Progress Telerik Report Server - Authentication Bypass
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
Template:
id: CVE-2024-4358
info:
name: Progress Telerik Report Server - Authentication Bypass
author: DhiyaneshDK
severity: critical
description: |
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
impact: An unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
Metasploit
Telerik Report Server Auth Bypass and Deserialization RCE
metasploit·CVSS 8.8
CVE-2024-4358 [HIGH] Telerik Report Server Auth Bypass and Deserialization RCE
Telerik Report Server Auth Bypass and Deserialization RCE
This module chains an authentication bypass vulnerability (CVE-2024-4358) with a deserialization vulnerability (CVE-2024-1800) to obtain remote code execution against Telerik Report Server version 10.0.24.130 and prior. The authentication bypass flaw allows an unauthenticated user to create a new user with administrative privileges. The USERNAME datastore option can be used to authenticate with an existing account to prevent the creation of a new one. The deserialization flaw works by uploading a specially crafted report that when loaded will execute an OS command as NT AUTHORITY\SYSTEM. The module will automatically delete the created report but not the account because users are unable to delete themselves.
Bleepingcomputer
Progress warns of critical RCE bug in Telerik Report Server
blogs_bleepingcomputer·2024-07-25·CVSS 9.9
CVE-2024-6327 [CRITICAL] Progress warns of critical RCE bug in Telerik Report Server
## Progress warns of critical RCE bug in Telerik Report Server
## Sergiu Gatlan
Progress Software has warned customers to patch a critical remote code execution security flaw in the Telerik Report Server that can be used to compromise vulnerable devices.
As a server-based reporting platform, Telerik Report Server provides centralized storage for reports and the tools needed to create, deploy, deliver, and manage them across an organization.
Tracked as CVE-2024-6327 , the vulnerability is due to a deserialization of untrusted data weakness that attackers can exploit to gain remote code execution on unpatched servers.
The vulnerability impacts Report Server 2024 Q2 (10.1.24.514) and earlier and was patched in version 2024 Q2 (10.1.24.709) .
"Updating to Report Server 2024 Q2 (10.1.24.7
Tenable
CVE-2024-4358, CVE-2024-1800: Exploit Code Available for Critical Exploit Chain in Progress Telerik Report Server
blogs_tenable·2024-06-04·CVSS 9.9
[CRITICAL] CVE-2024-4358, CVE-2024-1800: Exploit Code Available for Critical Exploit Chain in Progress Telerik Report Server
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Exploit for critical Progress Telerik auth bypass released, patch now
blogs_bleepingcomputer·2024-06-03·CVSS 9.9
[CRITICAL] Exploit for critical Progress Telerik auth bypass released, patch now
## Exploit for critical Progress Telerik auth bypass released, patch now
## Bill Toulas
Researchers have published a proof-of-concept (PoC) exploit script demonstrating a chained remote code execution (RCE) vulnerability on Progress Telerik Report Servers.
The Telerik Report Server is an API-powered end-to-end encrypted report management solution organizations use to streamline the creation, sharing, storage, distribution, and scheduling of reports.
Cybersecurity researcher Sina Kheirkha developed the exploit with the help of Soroush Dalili and has now published a detailed write-up that describes the intricate process of exploiting two flaws, an authentication bypass and a deserialization issue, to execute code on the target.
## Creating rogue admin accounts
The authentication bypass
2024-03-20
Published