Technical specifications and a Proof-of-Concept (PoC) exploit have been released for a recently disclosed critical security flaw in Progress Software OpenEdge Authentication Gateway and AdminServer, which could potentially be exploited to bypass authentication protections.
Tracked as CVE-2024-1403, the vulnerability has a maximum severity level of 10.0 in the CVSS scoring system. Affects OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0.
“When OpenEdge Authentication Gateway (OEAG) is configured with an OpenEdge domain that uses the operating system’s local authentication provider to grant user ID and password logins on operating platforms supported by active versions of OpenEdge, a vulnerability in the authentication routines could lead to to unauthorized access in the event of login attempts,” the company said in a notice published late last month.
“Similarly, when an AdminServer connection is made from OpenEdge Explorer (OEE) and OpenEdge Management (OEM), it also uses the operating system’s local authentication provider on supported platforms to grant user ID and password logins which could also lead to unauthorized access.”
Progress Software said the vulnerability incorrectly reports authentication success from a local OpenEdge domain if unexpected types of usernames and passwords are not handled appropriately, leading to unauthorized access without proper authentication.
The flaw has been fixed in OpenEdge LTS Update versions 11.7.19, 12.2.14, and 12.8.1.
Horizon3.ai, which reverse-engineered the vulnerable AdminServer service, has since released a PoC for CVE-2024-1403, saying the issue is rooted in a function called connect() that is called when a remote connection is made.
This function, in turn, calls another function called AuthorizeUser() which checks that the provided credentials meet certain criteria and passes the check to another piece of code which directly authenticates the user if the provided username matches ” NT AUTHORITY\SYSTEM”.
“It appears that a deeper attack surface could allow a user to deploy new applications via remote WAR file references, but the complexity has increased significantly to reach this attack surface due to the use of internal service message brokers and personalized messages,” security researcher Zach Hanley said.
“We believe there is once again an avenue for remote code execution via built-in functionality, given sufficient research effort.”