Technical specifics and a proof-of-concept (PoC) exploit have been made obtainable for a just lately disclosed important safety flaw in Progress Software program OpenEdge Authentication Gateway and AdminServer, which might be probably exploited to bypass authentication protections.
Tracked as CVE-2024-1403, the vulnerability has a most severity ranking of 10.0 on the CVSS scoring system. It impacts OpenEdge variations 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0.
“When the OpenEdge Authentication Gateway (OEAG) is configured with an OpenEdge Area that makes use of the OS native authentication supplier to grant user-id and password logins on working platforms supported by energetic releases of OpenEdge, a vulnerability within the authentication routines could result in unauthorized entry on tried logins,” the corporate mentioned in an advisory launched late final month.
“Equally, when an AdminServer connection is made by OpenEdge Explorer (OEE) and OpenEdge Administration (OEM), it additionally makes use of the OS native authentication supplier on supported platforms to grant user-id and password logins that will additionally result in unauthorized login entry.”
Progress Software program mentioned the vulnerability incorrectly returns authentication success from an OpenEdge native area if surprising sorts of usernames and passwords are usually not appropriately dealt with, resulting in unauthorized entry sans correct authentication.
The flaw has been addressed in variations OpenEdge LTS Replace 11.7.19, 12.2.14, and 12.8.1.
Horizon3.ai, which reverse-engineered the susceptible AdminServer service, has since launched a PoC for CVE-2024-1403, stating the problem is rooted in a operate known as join() that is invoked when a distant connection is made.
This operate, in flip, calls one other operate known as authorizeUser() that validates that the equipped credentials meet sure standards, and passes management to a different a part of the code that straight authenticates the person if the offered username matches “NT AUTHORITYSYSTEM.”
“Deeper attacker floor seems like it might enable a person to deploy new purposes through distant WAR file references, however the complexity elevated dramatically with a purpose to attain this assault floor due to using inner service message brokers and customized messages,” safety researcher Zach Hanley mentioned.
“We imagine there may be once more doubtless an avenue to distant code execution through inbuilt performance given sufficient analysis effort.”