In a recent disclosure, technical details and a proof-of-concept exploit have emerged for a critical security flaw in Progress Software OpenEdge Authentication Gateway and AdminServer. This vulnerability, tracked as CVE-2024-1403, poses a serious threat by potentially allowing unauthorized access despite authentication measures.
The vulnerability, rated 10.0 on the CVSS scoring system, affects OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0. It revolves around the misconfiguration of the OpenEdge Authentication Gateway (OEAG) and AdminServer, leading to a loophole that could be exploited to bypass authentication.
The flaw arises when the OEAG is configured with an OpenEdge Domain using the OS local authentication provider for user-id and password logins. Similarly, the AdminServer connection made by OpenEdge Explorer (OEE) and OpenEdge Management (OEM) also leverages the OS local authentication provider, opening doors to unauthorized access attempts.
Progress Software has promptly addressed the issue in versions OpenEdge LTS Update 11.7.19, 12.2.14, and 12.8.1. They have emphasized the importance of updating to these patched versions to mitigate the risk posed by CVE-2024-1403.
Horizon3.ai, a security firm, has reverse-engineered the vulnerable AdminServer service and released a proof-of-concept exploit for CVE-2024-1403. According to their findings, the vulnerability lies in a function called connect(), which is invoked during remote connections.
The exploit could potentially allow attackers to deploy new applications via remote WAR file references. However, exploiting this attack surface requires a deep understanding of internal service message brokers and custom messages, making it a complex endeavor.
Security researcher Zach Hanley has highlighted the possibility of remote code execution via built-in functionality, given sufficient research effort. It’s crucial for OpenEdge users to update to the latest patched versions to protect their systems from potential exploitation. Stay tuned for further updates on this developing story.
