CVE-2024-1403: 
Progress OpenEdge vulnerability analysis and mitigation

A critical authentication bypass vulnerability (CVE-2024-1403) was discovered in OpenEdge Authentication Gateway and AdminServer affecting versions prior to 11.7.19, 12.2.14, and 12.8.1 on all platforms supported by the OpenEdge product. The vulnerability, which received a CVSS score of 10.0 (Critical), was disclosed on February 27, 2024, and stems from a failure to properly handle username and password credentials (NVD, SecurityOnline).

The vulnerability exists in the authentication system where certain unexpected content passed into the credentials can lead to unauthorized access. Specifically, when the OpenEdge Authentication Gateway is configured with an OpenEdge Domain using the OS local authentication provider, or when an AdminServer connection is made by OpenEdge Explorer and OpenEdge Management, the authentication routines can be bypassed. The vulnerability is specifically located in the auth.dll component, where if a username matches 'NT AUTHORITY/SYSTEM', authentication is automatically granted (Horizon3).

The vulnerability allows unauthorized access to various OpenEdge components, including sensitive databases, management tools, and administrative functions. The affected components include the OpenEdge Authentication Gateway (OEAG), which serves as the front door to OpenEdge databases for both ABL and SQL clients, utilities, and PASOE agents, as well as the AdminServer which provides access to management tools like OpenEdge Management (OEM) and OpenEdge Explorer (OEE) (SecurityOnline).

Progress has released patches to address this vulnerability in OpenEdge versions 11.7.19, 12.2.14, and 12.8.1. For temporary mitigation, users can replace the vulnerable auth.dll library in the $DLC/bin directory with the revised version associated with their operating system. This mitigation is intended for short-term use until the full OpenEdge Update can be applied to deployments (NVD).