CVE-2024-7294 – This vulnerability allows attackers to launch H... (How to Fix)

Q: What is the severity of CVE-2024-7294?

CVE-2024-7294 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to launch HTTP Denial-of-Service attacks against Progress Telerik Report Server by targeting anonymous endpoints that lack rate limiting. This affects all organizations running vulnerable versions of Telerik Report Server with anonymous access enabled. The attack can exhaust server resources and make the service unavailable.

📋 TL;DR

This vulnerability allows attackers to launch HTTP Denial-of-Service attacks against Progress Telerik Report Server by targeting anonymous endpoints that lack rate limiting. This affects all organizations running vulnerable versions of Telerik Report Server with anonymous access enabled. The attack can exhaust server resources and make the service unavailable.

💻 Affected Systems

Products:

Progress Telerik Report Server

Versions: All versions prior to 2024 Q3 (10.2.24.806)

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with anonymous endpoints accessible. Authentication requirements reduce exposure.

📦 What is this software?

Telerik Reporting by Progress

View all CVEs affecting Telerik Reporting →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability for all users, extended downtime, and potential resource exhaustion affecting other services on the same host.

🟠

Likely Case

Service degradation or temporary unavailability for legitimate users during attack periods.

🟢

If Mitigated

Minimal impact with proper rate limiting and monitoring in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

HTTP DoS attacks are well-understood and easy to implement. No authentication required for anonymous endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024 Q3 (10.2.24.806) or later

Vendor Advisory: https://docs.telerik.com/report-server/knowledge-base/uncontrolled-resource-consumption-cve-2024-7294

Restart Required: Yes

Instructions:

1. Download Telerik Report Server 2024 Q3 (10.2.24.806) or later. 2. Backup current configuration and data. 3. Run the installer to upgrade. 4. Restart the Report Server service. 5. Verify functionality.

🔧 Temporary Workarounds

Implement Rate Limiting

all

Configure web server or application firewall to limit requests to anonymous endpoints

Disable Anonymous Access

all

Require authentication for all endpoints if business requirements allow

🧯 If You Can't Patch

Implement network-level rate limiting using WAF or load balancer
Monitor for unusual traffic patterns and implement automated blocking

🔍 How to Verify

Check if Vulnerable:

Check Report Server version in administration interface or installation directory

Check Version:

Check Telerik Report Server web interface or installation properties

Verify Fix Applied:

Confirm version is 10.2.24.806 or higher and test anonymous endpoint access with rate limiting

📡 Detection & Monitoring

Log Indicators:

High volume of requests to anonymous endpoints
Increased error rates
Resource exhaustion warnings

Network Indicators:

Unusually high HTTP request rates from single or multiple sources
Pattern of requests to anonymous endpoints

SIEM Query:

source="telerik-report-server" AND (status=429 OR request_count>1000) | stats count by src_ip, endpoint

📊 Metadata

CVE ID: CVE-2024-7294

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-400

Published: October 9, 2024

Last Updated: October 15, 2024

🔗 References

https://docs.telerik.com/report-server/knowledge-base/uncontrolled-resource-consumption-cve-2024-7294 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7294, you might also want to check these: