A critical security flaw in Progress Software OpenEdge Authentication Gateway and AdminServer has recently been disclosed, with technical details and a proof-of-concept (PoC) exploit now available. Tracked as CVE-2024-1403, the vulnerability carries a maximum severity rating of 10.0 on the CVSS scoring system and affects OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0.
According to Progress Software, the vulnerability could potentially allow attackers to bypass authentication protections. Specifically, when the OpenEdge Authentication Gateway (OEAG) is configured with an OpenEdge Domain using the OS local authentication provider, unauthorized access may occur during attempted logins. Similarly, connections made by OpenEdge Explorer (OEE) and OpenEdge Management (OEM) through AdminServer could also lead to unauthorized access.
The flaw arises due to incorrect handling of unexpected types of usernames and passwords, resulting in the incorrect return of authentication success from an OpenEdge local domain. Progress Software has addressed the issue in versions OpenEdge LTS Update 11.7.19, 12.2.14, and 12.8.1.
Horizon3.ai, after reverse-engineering the vulnerable AdminServer service, has released a PoC for CVE-2024-1403. The exploit targets a function called connect(), which is invoked during a remote connection attempt. This function calls authorizeUser() to validate credentials, ultimately allowing unauthorized access if certain conditions are met, including the presence of a specific username.
Security researcher Zach Hanley suggests that deeper exploration of the attack surface could reveal avenues for remote code execution, potentially via the deployment of new applications through remote WAR file references. However, he notes that reaching this attack surface may require significant effort due to internal service message brokers and custom messages utilized within the system
