CVE-2024-4357
📋 TL;DR
This CVE describes an XML External Entity (XXE) vulnerability in Progress Telerik Report Server that allows low-privilege authenticated attackers to read arbitrary files from the server's filesystem. The vulnerability affects version 2024 Q1 (10.0.24.305) and earlier. Attackers can exploit this to access sensitive system files and potentially escalate privileges.
💻 Affected Systems
- Progress Telerik Report Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive system files (passwords, configuration files, SSH keys), potentially leading to full system compromise through credential theft or privilege escalation.
Likely Case
Low-privilege authenticated users reading application configuration files, source code, or other sensitive data stored on the server filesystem.
If Mitigated
Limited to reading files accessible to the application service account, with no ability to write files or execute code.
🎯 Exploit Status
XXE vulnerabilities are well-understood with many public exploitation techniques. Requires authenticated access but low technical skill to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024 Q2 (10.0.24.406) or later
Vendor Advisory: https://docs.telerik.com/report-server/knowledge-base/xxe-vulnerability-cve-2024-4357
Restart Required: Yes
Instructions:
1. Download the latest version from the Telerik website. 2. Backup your current installation. 3. Run the installer to upgrade. 4. Restart the Report Server service.
🔧 Temporary Workarounds
Disable XXE Processing
allConfigure XML parsers to disable external entity processing
Modify web.config to set XmlResolver to null in XML reader settings
Network Segmentation
allRestrict access to Report Server to trusted networks only
🧯 If You Can't Patch
- Implement strict network access controls to limit Report Server access to authorized users only
- Monitor for unusual file access patterns and XML parsing errors in application logs
🔍 How to Verify
Check if Vulnerable:
Check the Report Server version in the web interface or installation directory. Versions 10.0.24.305 and earlier are vulnerable.Check Version:
Check the version.txt file in the installation directory or view the About page in the web interfaceVerify Fix Applied:
Verify the version is 10.0.24.406 or later. Test XML file upload functionality with XXE payloads to confirm they are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors
- File access attempts from Report Server process to sensitive system paths
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- XML payloads containing external entity references in HTTP requests
- Outbound connections from Report Server to unexpected external systems
SIEM Query:
source="telerik-report-server" AND (message="*XXE*" OR message="*external entity*" OR message="*file://*" OR message="*SYSTEM*")