Progress Telerik: high-risk loopholes allow code and command smuggling

Updates in the development software Progress Telerik UI for WPF and WinForms close security gaps. Attackers can use them to infiltrate and execute malicious code or commands. IT managers should install the updates promptly.

Progress Telerik warns of a total of four security vulnerabilities. Three affect Progress Telerik UI for WPF and one Progress Telerik UI for WinForms. They are all classified as high risk.

Several Progress Telerik components affected

The security bulletins do not go into the details of the vulnerabilities. As a result, it remains unclear what attacks would look like and how they could be detected. However, there are two vulnerabilities in Progress Telerik UI for WPF due to insecure deserialization of data. This allows attackers to inject malicious code. The functions for RadDiagram and RichTextBox are apparently affected.

Attackers can also smuggle commands into Telerik UI for WPF and WinForms. The cause is an unspecified, insufficient filtering of hyperlink elements.

Progress Telerik UI for WPF and WinForms up to and including version 2024 Q3 (2024.3.806) are affected. The security-relevant errors correct the versions from 2024 Q3 (2024.3.924) and newer. These are available for download in your own account under "Product Downloads".

The list of individual security releases:

• Telerik UI for WPF Unsafe Deserialization Vulnerability, CVE-2024-8316, CVSS 7.8, Risk"high"
• Telerik UI for WPF Unsafe Deserialization Vulnerability CVE-2024-7576, CVSS 7.8, high
• Telerik UI for WPF Command Injection Vulnerability CVE-2024-7575, CVSS 7.8, high
• Telerik UI for WinForms Command Injection Vulnerability CVE-2024-7679, CVSS 7.8, high

Vulnerabilities in Progress Telerik software are also targeted by cybercriminals. In June, for example, CISA warned of attacks in the wild on security leaks in Progress Telerik Report Server.

(dmk)