A critical security vulnerability [3] [6] [7] [8], CVE-2024-6327 [1] [2] [3] [4] [5] [6] [7] [8], has been identified in Progress Software’s Telerik Report Server product [2] [6] [8], with a CVSS score of 9.9 [6], posing a risk of remote code execution due to an insecure deserialization issue [2].

Description

This flaw affects versions up to 2024 Q2 (10.1.24.514) and has been resolved in the latest version, 2024 Q2 (10.1.24.709) [4]. Users are strongly advised to update to this version or later to protect against potential compromise. It is also recommended to change the user for the Report Server Application Pool to one with limited permissions as an extra precaution. Progress Software has not confirmed any instances of exploitation of this vulnerability in the wild. This disclosure follows a previous critical vulnerability (CVE-2024-4358) in the same software [8], which allowed remote attackers to bypass authentication and create rogue administrator users [8]. Both vulnerabilities have been addressed [5] [8], and customers are encouraged to upgrade to the most recent versions to mitigate the risks [5]. The US Cybersecurity and Infrastructure Security Agency (CISA) has included this software in their Known Exploited Vulnerabilities catalog [8]. The CVE-2024-6327 vulnerability is linked to CVE-2024-6096 [3], an insecure type resolution issue affecting Telerik Reporting [3] [5]. To mitigate these risks [1] [3] [5] [6], users are advised to upgrade to Telerik Reporting 2024 Q2 to address CVE-2024-6096 and to upgrade to Telerik Report Server 2024 Q2 or later to fix CVE-2024-6327 [3]. If immediate upgrading is not feasible [3], users can enhance security by limiting permissions for the Report Server Application Pool user [3].

Conclusion

It is crucial for users to update to the latest version of Progress Software’s Telerik Report Server to protect against the CVE-2024-6327 vulnerability and other related security risks. By following the recommended precautions and upgrading to the most recent versions, users can safeguard their systems and data from potential exploitation.

References

[1] https://securityaffairs.com/166168/security/telerik-report-server-cve-2024-6327.html
[2] https://www.tenable.com/cve/CVE-2024-6327
[3] https://cyber.vumetric.com/security-news/2024/07/26/progress-fixes-critical-rce-flaw-in-telerik-report-server-upgrade-asap-cve-2024-6327/
[4] https://www.techradar.com/pro/security/progress-warns-telerik-report-server-has-a-critical-security-bug
[5] https://www.helpnetsecurity.com/2024/07/26/cve-2024-6327/
[6] https://cybermaterial.com/critical-rce-vulnerability-in-telerik-server/
[7] https://cybersecuritynews.com/progress-telerik-report-server-flaw/
[8] https://thehackernews.com/2024/07/critical-flaw-in-telerik-report-server.html