CVE-2024-0832: 
Progress Telerik Reporting vulnerability analysis and mitigation

A privilege elevation vulnerability (CVE-2024-0832) was identified in Telerik Reporting versions prior to 2024 R1 (18.0.24.130). The vulnerability exists in the applications installer component, where in environments with an existing Telerik Reporting installation, a lower privileged user can manipulate the installation package to elevate their privileges on the underlying operating system. The vulnerability was discovered by the Lockheed Martin Red Team and disclosed in January 2024 (Vendor Advisory).

The vulnerability affects the legacy Windows installer component of Telerik Reporting v18 and older versions. During initial installation, users must approve the UAC prompt for the installer to obtain elevated permissions. However, if the product has already been installed, the installer could be exploited to execute commands at a higher privilege level than the current user. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability allows an attacker who already has access to a Windows user's local account to gain elevated permissions on the system. This could potentially lead to complete system compromise through privilege escalation (Vendor Advisory).

The recommended mitigation is to update Telerik Reporting to version 2024 Q1 (18.0.24.130) or later. Installing the update will replace the legacy installer, effectively removing the avenue of attack. The vulnerability does not affect the Telerik Reporting product itself, only the Windows installer component (Vendor Advisory).

Progress Software Corporation, the company behind Telerik Reporting, acknowledged and credited the Lockheed Martin Red Team for their professionalism, completeness, and responsible disclosure of the vulnerability (Vendor Advisory).