A critical security flaw in Progress Software OpenEdge Authentication Gateway and AdminServer has recently been disclosed. The vulnerability is tracked as CVE-2024-1403 and has a maximum severity rating of 10.0 on the CVSS scoring system. It affects OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0.
The flaw can be exploited for bypassing authentication protections. Technical specifics and a proof-of-concept (PoC) exploit have been made available.
According to an advisory released by the company, the vulnerability is related to the authentication routines of the OpenEdge Authentication Gateway. When the OEAG is configured with an OpenEdge Domain that uses the OS local authentication provider to grant user-id and password logins on operating platforms supported by active releases of OpenEdge, it may lead to unauthorized access on attempted logins. Progress Software said the vulnerability incorrectly returns authentication success from an OpenEdge local domain if unexpected types of usernames and passwords are not appropriately handled, leading to unauthorized access sans proper authentication.
Quadrant urges users of OpenEdge to patch with LTS Update 11.7.19, 12.2.14, or 12.8.1, depending on the version in use.
