Recently, a serious security vulnerability has been identified within Progress Software’s OpenEdge Authentication Gateway and AdminServer, which could potentially allow attackers to circumvent authentication mechanisms. This flaw has been designated as CVE-2024-1403 and carries a maximum severity score of 10.0 on the CVSS scale. It affects multiple versions of OpenEdge, including 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0.
The vulnerability arises when the OpenEdge Authentication Gateway (OEAG) is set up with an OpenEdge Domain utilizing the OS local authentication provider to facilitate user ID and password logins. According to Progress Software, this flaw is present in the authentication routines and may lead to unauthorized access during login attempts. This advisory was disseminated late last month, highlighting the critical nature of the issue.
Additionally, the AdminServer connection, made via OpenEdge Explorer (OEE) and OpenEdge Management (OEM), exhibits similar vulnerabilities due to its reliance on the OS local authentication provider. This means that unauthorized logins could also occur through these connections, exposing systems to heightened risk.
Progress Software clarified that improper handling of unexpected username and password types could incorrectly validate authentication success for an OpenEdge local domain, effectively eliminating the safeguards designed to protect user access. The company has rolled out patches in the form of OpenEdge LTS Update 11.7.19, 12.2.14, and 12.8.1 to mitigate this risk.
Horizon3.ai, having reverse-engineered the affected AdminServer service, has made available a proof-of-concept (PoC) exploit for CVE-2024-1403. The vulnerability centers around a function called connect(), which engages when a remote connection is initiated. This function subsequently invokes another function, authorizeUser(), that is intended to validate login credentials. However, if the username matches “NT AUTHORITY\SYSTEM,” it may bypass critical authentication checks.
Security researcher Zach Hanley elaborated on the implications of this vulnerability, suggesting that while the immediate attacker surface appears limited, there exist pathways for remote code execution due to intrinsic functionalities within the system. He notes that further research could uncover more significant exploits, emphasizing that even though the attack complexity is heightened by internal service message brokers, attackers may still find ways to utilize this flaw.
This incident highlights essential considerations for business owners in understanding how seemingly minor vulnerabilities can lead to serious security breaches. The attack could involve tactics outlined in the MITRE ATT&CK framework, particularly focusing on initial access and privilege escalation. As organizations rely increasingly on systems like OpenEdge for critical operations, the need for robust authentication mechanisms, continuous monitoring, and timely updates becomes paramount to safeguarding sensitive data.
