Technical details and a proof-of-concept (PoC) of a recently disclosed critical security vulnerability in Progress Software OpenEdge Authentication Gateway and AdminServer that could be exploited to bypass authentication protections have become available.
Tracked as CVE-2024-1403, this vulnerability has a maximum severity rating of 10.0 on the CVSS scoring system. It affects OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0.
“When the OpenEdge Authentication Gateway (OEAG) is configured with an OpenEdge domain that uses the operating system local authentication provider to grant user ID and password login permissions on operating platforms supported by the active version of OpenEdge, the authentication routine The vulnerability could lead to unauthorized access, the company said in an advisory late last month.
“Similarly, when OpenEdge Explorer (OEE) and OpenEdge Management (OEM) establish an AdminServer connection, it also leverages the operating system’s native authentication provider on the supported platform to grant user ID and password login permissions, which may also Resulting in unauthorized login access. “
Progress Software said the vulnerability could incorrectly return authentication success from the OpenEdge local domain if unexpected types of usernames and passwords are not properly handled, leading to unauthorized access without proper authentication.
This flaw is resolved in OpenEdge LTS updates 11.7.19, 12.2.14, and 12.8.1.
Horizon3.ai reverse-engineered the vulnerable AdminServer service and subsequently released a PoC for CVE-2024-1403, pointing out that the problem is rooted in a function called connect() called when establishing a remote connection.
The function in turn calls another function called authorizeUser(), which verifies that the credentials provided meet certain criteria and passes control to another part of the code if the username provided matches “NT AUTHORITY\SYSTEM ” matches, the user will be authenticated directly.
“A deeper attack surface may appear to allow users to deploy new applications through remote WAR file references, but the complexity of reaching this attack surface increases dramatically due to the use of internal service message agents and custom messages,” Security said researcher Zach Hanley.
“We believe that with sufficient research effort, it may once again be possible to enable remote code execution through built-in functionality.”
