Progress Patches Critical Security Flaw CVE-2024-8015 (CVSS 9.1) in Telerik Report Server

by do son · October 10, 2024

Progress Software has released an important security advisory addressing four newly discovered vulnerabilities in their powerful Telerik Report Server, a tool widely used for embedding reporting functionality into web, desktop, and cloud applications. These vulnerabilities, ranging from credential stuffing and brute force attacks to a critical code execution flaw pose serious risks to organizations using the tool.

The vulnerabilities, identified as CVE-2024-7292, CVE-2024-7293, CVE-2024-7294, and CVE-2024-8015, affect Telerik Report Server versions prior to 2024 Q3 (10.2.24.924). These flaws could allow attackers to:

Perform credential stuffing attacks: Exploit a lack of login attempt restrictions (CVE-2024-7292).
Conduct brute-force attacks against user passwords: Due to weak password requirements (CVE-2024-7293).
Launch Denial-of-Service (DoS) attacks: By targeting anonymous endpoints without rate limiting (CVE-2024-7294).
Execute arbitrary code on the server: Through an insecure type resolution vulnerability (CVE-2024-8015).

The most severe of these vulnerabilities, CVE-2024-8015, carries a CVSS score of 9.1 and could allow attackers to gain complete control of the Report Server.

Progress Software has urged all users to update their Report Server deployments to the latest version (10.2.24.924) immediately.

For users unable to immediately update to the patched version, Progress Software recommends the following temporary mitigation for CVE-2024-8015:

Change the Report Server’s Application Pool user to one with limited permissions. This will restrict the potential damage an attacker could inflict if they successfully exploit the vulnerability. Detailed instructions on how to implement this mitigation can be found in the Progress Knowledge Base article “How To Change IIS User for Report Server.”