Progress Telerik Reporting < v18.1.24.709 - Arbitrary Code Execution (RCE) via Unsafe Reflection (CVE-2024-6096)

Background & Context

Telerik Reporting is an End-to-End Report Management Solution from Progress. Part of the Telerik Comprehensive UI Component Suite, the Report Server is a server-based lightweight Windows web app that may be deployed on-premises or in the cloud. It offers full report management, including well-organized, centralized report storage, previewing, and scheduling services, all secured by user management features. Telerik Report Server provides a comprehensive set of ready-to-use tools and services to assist in creating, deploying, delivering, and managing reports. It supports Blazor, ASP.NET Core, ASP.NET MVC, ASP.NET Web Forms, HTML5 (Responsive), Angular, React, Vue, WPF, and Windows Forms.

Vulnerability Summary

Progress Telerik Reporting contains an object injection vulnerability via an insecure type resolution. The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

If the product uses external inputs to determine which class to instantiate or which method to invoke, then an attacker could supply values to select unexpected classes or methods. If this occurs, then the attacker could create control flow paths that were not intended by the developer. These paths could bypass authentication or access control checks, or otherwise cause the product to behave in an unexpected manner. This situation becomes a doomsday scenario if the attacker can upload files into a location that appears on the product's classpath (CWE-427) or add new entries to the product's classpath (CWE-426). Under either of these conditions, the attacker can use reflection to introduce new, malicious behavior into the product.

Impact If Exploited

Successful exploit would permit an attacker to be able to execute arbitrary (malicious) code that is not directly accessible to the attacker and is not intended to be accessible by the attacker. Alternately, the attacker could call unexpected code in the wrong place or the wrong time, possibly modifying critical system state.

This vulnerability has not been reported by the CISA (America's Cyber Defense Agency) to be known to be currently actively exploited 'in the wild' at the time of writing (20224-07-25). However a previous Telerik vulnerability (CVE-2024-4358) was recently been targeted by organised threat actor groups last month (June 2024), and it is reasonable to expect that this vulnerability will be (or already has been) similarly targeted in 0-day attacks. Prioritisation should be given to remediation in any impacted environment.

Affected Product Versions

• Telerik Reporting 2024 Q2 (18.1.24.514) and older.

Indicators of Compromise (IoC)

The vendor has not published a list of indicators of compromise (IoC) at the time of writing.

Official Fix & Remediation Guidance

Updating to at least version Reporting 2024 Q2 (18.1.24.709) is the only way to remove this vulnerability. Downloads are available via https://www.telerik.com/account/downloads/product-download.

Please visit the upgrade documentation Upgrade Overview - Telerik Reporting and follow the instructions for the version you are upgrading from.

To check your current version of Telerik Reporting, there are two primary options:

• If you’re using the REST service, you can visit the /api/reports/version/ endpoint (e.g., https://demos.telerik.com/reporting/api/reports/version).

• If you’re only using the desktop tooling, check PC Settings > Installed Apps > expand Telerik Reporting item for details.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

Temporary Mitigation & Workarounds

(The vendor has not advised of any alternative temporary mitigation or workarounds)

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.

Vendor Advisory

• https://docs.telerik.com/reporting/knowledge-base/unsafe-reflection-CVE-2024-6096