CVE-2024-1403 (CVSS 10): Critical Progress OpenEdge Vulnerability

Attention Progress OpenEdge users! A critical security vulnerability was recently discovered within the platform’s authentication system. This flaw (CVE-2024-1403) carries a CVSS score of 10 – the highest severity rating possible. This means an immediate patch is crucial for systems running affected versions of OpenEdge.

What’s the Issue?

In OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0, there’s a bug in the way certain usernames and passwords are handled. An attacker could exploit this flaw to gain unauthorized access to various OpenEdge components, including your sensitive databases. This is especially worrisome if you configure your system to rely on local operating system accounts for authentication.

“When the OpenEdge Authentication Gateway (OEAG) is configured with an OpenEdge Domain that uses the OS local authentication provider to grant user-id and password logins on operating platforms supported by active releases of OpenEdge, a vulnerability in the authentication routines may lead to unauthorized access on attempted logins,” Progress explains.

“Similarly, when an AdminServer connection is made by OpenEdge Explorer (OEE) and OpenEdge Management (OEM), it also utilizes the OS local authentication provider on supported platforms to grant user-id and password logins that may also lead to unauthorized login access.“

The Scope – Who’s Affected?

CVE-2024-1403 poses a risk for a wide range of OpenEdge components:

• OpenEdge Authentication Gateway (OEAG): This gateway is often the front door to your OpenEdge databases for both ABL and SQL clients, utilities, and even PASOE agents connecting to your databases.
• AdminServer: Tools like OpenEdge Management (OEM) and OpenEdge Explorer (OEE) rely on the AdminServer. An exploited AdminServer grants an attacker wider access to resources via these management tools.
• DataServer Connections: If you employ DataServer connections to databases managed with OEAG, they are also at potential risk.

The Good News – Patches are Available!

Progress has acted swiftly in providing fixes, including in the following updates:

• OpenEdge LTS 11.7.19
• OpenEdge 12.2.14
• OpenEdge 12.8.1

Action Time – What You Need to Do

1. Upgrade ASAP: If you’re on an affected version, the top priority is to apply the relevant update. If you’re using a retired version of OpenEdge, you’ll need to upgrade to a currently supported version before applying the patch.
2. Temporary Mitigation: Can’t patch immediately? Progress has provided temporary steps. But remember, these are strictly short-term fixes until you can apply the official patch.

Protect Your Business

Staying up-to-date on patches and being aware of potential vulnerabilities is key to safeguarding your critical business applications built on OpenEdge.