Sustainability: More than green energy, tech stacks must be efficient
Finding Progress OpenEdge Authentication Gateway and AdminServer installations with runZero
Progress Software disclosed an authentication bypass vulnerability in its OpenEdge Authentication Gateway and AdminServer applications.
This vulnerability, identified as CVE-2024-1403, allows attackers to bypass checks and access the system without authentication. Successful exploitation of this vulnerability would allow attackers to access systems with arbitrary privileges, potentially including administrative privileges.
The vendor indicates that the OpenEdge Authentication Gateway is potentially vulnerable based on configuration, but that the AdminServer product is vulnerable regardless of configuration.
What is the impact?
Successful exploitation of these vulnerabilities would allow attackers to execute arbitrary commands with full privileges on the target system, potentially leading to complete system compromise.
Are updates or workarounds available? #
The vendor has released updates that fix these issues. The vendor recommends that all users upgrade to this version immediately.
How do I find Progress OpenEdge Authentication Gateway and AdminServer installations with runZero?
From the Services Inventory, use the following query to locate potentially vulnerable systems:
html.title:="Progress Application Home"
Additional fingerprinting research is ongoing, and additional queries will be published as soon as possible.
關於 Version 2
Version 2 Digital 是立足亞洲的增值代理商及IT開發者。公司在網絡安全、雲端、數據保護、終端設備、基礎設施、系統監控、存儲、網絡管理、商業生產力和通信產品等各個領域代理發展各種 IT 產品。
透過公司龐大的網絡、通路、銷售點、分銷商及合作夥伴,Version 2 提供廣被市場讚賞的產品及服務。Version 2 的銷售網絡包括台灣、香港、澳門、中國大陸、新加坡、馬來西亞等各亞太地區,客戶來自各行各業,包括全球 1000 大跨國企業、上市公司、公用事業、醫療、金融、教育機構、政府部門、無數成功的中小企及來自亞洲各城市的消費市場客戶。
About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.