Technical details and a proof-of-concept (PoC) attack have been made public for a newly reported severe security weakness in Progress Software’s OpenEdge Authentication Gateway and AdminServer, which may possibly be used to circumvent authentication safeguards.

The vulnerability, identified as CVE-2024-1403, has a maximum severity level of 10.0 on the CVSS scoring system. It applies to OpenEdge versions 11.7.18 and prior, 12.2.13 and older, and 12.8.0.

“When the OpenEdge Authentication Gateway (OEAG) is configured with an OpenEdge Domain that uses the OS local authentication provider to grant user-id and password logins on operating platforms supported by active releases of OpenEdge, a vulnerability in the authentication routines may lead to unauthorized access on attempted logins,” the company stated in an advisory issued at the end of last week.

Magnet Goblin Hacker Group Uses One-Day Exploits to Deploy Nerbian RAT

“Similarly, when an AdminServer connection is made by OpenEdge Explorer (OEE) and OpenEdge Management (OEM), it also utilizes the OS local authentication provider on supported platforms to grant user-id and password logins that may also lead to unauthorized login access.”

According to Progress Software, the vulnerability mistakenly provides authentication success from an OpenEdge local domain if unexpected users and passwords are not properly handled, resulting in illegal access without proper authentication.

The issue has been fixed in OpenEdge LTS Updates 11.7.19, 12.2.14, and 12.8.1.

Horizon3.ai, which reverse-engineered the vulnerable AdminServer service, has subsequently provided a proof-of-concept for CVE-2024-1403, claiming that the problem stems from a function named connect(), which is called when a remote connection is established.

This method calls authorizeUser(), which checks the given credentials and sends control to another portion of the code that directly authenticates the user if the username matches “NT AUTHORITY\SYSTEM.”

Password pirates are targeting PetSmart accounts.

“Deeper attacker surface looks like it may allow a user to deploy new applications via remote WAR file references, but the complexity increased dramatically in order to reach this attack surface because of the use of internal service message brokers and custom messages,” said Zach Hanley, a security researcher at Microsoft.

“We believe there is again likely an avenue to remote code execution via built in functionality given enough research effort.”

source