Telerik Report Server Identified with Critical Vulnerability Leading to Risk of Remote Code Execution
Progress Software advises users to promptly upgrade their Telerik Report Server installations after uncovering a severe security flaw that could lead to remote code execution.
The vulnerability, identified as CVE-2024-6327 (CVSS score: 9.9), impacts versions of Report Server prior to 2024 Q2 (10.1.24.514).
“In instances of Progress Telerik Report Server preceding version 2024 Q2 (10.1.24.709), an attacker could feasibly execute remote code through an insecure deserialization flaw,” the organization stated in an advisory.
Deserialization vulnerabilities emerge when an application interprets unchecked data manipulated by an attacker without appropriate validation, hence triggering unauthorized command executions.
Progress Software announced that the flaw has been rectified in version 10.1.24.709. As a provisional measure, it is advisable to adjust the user permissions for the Report Server Application Pool to limit access.
System administrators can verify if their servers are exposed to potential attacks by following these steps –
- Access the Report Server web user interface and log in using an admin account
- Navigate to the Configuration page (~/Configuration/Index).
- Choose the About tab to view the version number displayed in the right panel.
This announcement arrives almost eight weeks subsequent to the company addressing a different critical deficiency in the same software (CVE-2024-4358, CVSS score: 9.8) that could be exploited by remote attackers to bypass authentication protocols and create unauthorized administrator accounts.
About Author
