Progress patches authentication bug in OpenEdge

Progress Software’s OpenEdge authentication gateway and AdminServer need to be patched against a critical authentication bypass bug present in all supported releases of OpenEdge.

According to the company’s advisory, the bug affects OpenEdge Release 11.7.18 and earlier, OpenEdge 12.2.13 and earlier, and OpenEdge 12.8.0.

The bug’s Mitre entry adds: “Certain unexpected content passed into the credentials can lead to unauthorised access without proper authentication.”

Progress said the vulnerability manifests when the OpenEdge authentication gateway (OEAG) is configured with an OpenEdge domain that uses the operating system’s local authentication provider.

Another vulnerable scenario is when the admin server connection is made by OpenEdge Explorer and OpenEdge management, because this process also uses the OS’s local authentication provider.

AdminServer logins are always vulnerable, Progress explained, because they only support OS local logins.

The OEAG, on the other hand, “is only vulnerable when an administrator has configured an OpenEdge domain to use the OS local authentication provider”, the advisory stated.

“The vulnerability incorrectly returns authentication success from an OE local domain if there is a failure to properly handle certain types of usernames and passwords.”

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts