CVE-2024-7345 Overview
CVE-2024-7345 is a critical authentication bypass vulnerability in Progress OpenEdge that enables unauthorized code injection into Multi-Session Agents (MSAs). The flaw resides in the Progress Application Server for OpenEdge (PASOE) and stems from local Advanced Business Language (ABL) clients bypassing required PASOE security checks. An attacker on an adjacent network can connect directly to MSAs and inject arbitrary code without authentication. The vulnerability affects OpenEdge Long Term Support (LTS) releases up to and including 11.7.18 and 12.2.13 across all supported release platforms. Progress has classified the issue under CWE-94: Improper Control of Generation of Code.
Critical Impact
Unauthenticated attackers on adjacent networks can inject arbitrary code into Multi-Session Agents, compromising the confidentiality, integrity, and availability of OpenEdge applications.
Affected Products
- Progress OpenEdge LTS versions up to and including 11.7.18
- Progress OpenEdge LTS versions up to and including 12.2.13
- All supported OpenEdge release platforms running PASOE Multi-Session Agents
Discovery Timeline
- 2024-09-03 - CVE-2024-7345 published to NVD
- 2024-09-05 - Last updated in NVD database
Technical Details for CVE-2024-7345
Vulnerability Analysis
The vulnerability exists in how PASOE handles direct local connections from ABL clients to Multi-Session Agents. PASOE normally enforces authentication and authorization checks before client requests reach the MSA worker processes. A direct local client connection path bypasses these checks, allowing the attacker's ABL code to execute within the agent context. Because MSAs handle business logic and database access on behalf of multiple sessions, injected code inherits the privileges of the agent process. The scope is marked as changed in the CVSS vector because compromise of the MSA can affect resources beyond the vulnerable component, including backend databases and dependent services.
Root Cause
The root cause is missing enforcement of PASOE security checks on the local client connection path to MSAs. The PASOE broker validates incoming requests, but the direct connection channel used by local ABL clients does not pass through the same security gate. This design gap permits any ABL client able to reach the MSA endpoint to submit code for execution without proving identity.
Attack Vector
Exploitation requires adjacent network access to the host running PASOE with Multi-Session Agents enabled. An attacker uses a crafted local ABL client connection to send code that the MSA processes as trusted application logic. No user interaction or prior authentication is required. The injected ABL code can read or modify data, invoke business procedures, and interact with backend resources accessible to the agent. Refer to the Progress security advisory for vendor-supplied technical details.
Detection Methods for CVE-2024-7345
Indicators of Compromise
- Unexpected ABL client connections to MSA ports from non-application hosts or unusual local processes
- New or modified .r (compiled ABL) artifacts and procedure files appearing on PASOE hosts outside change windows
- PASOE agent logs showing session activity without preceding broker authentication events
- Spawned child processes or outbound connections from MSA worker processes inconsistent with normal application behavior
Detection Strategies
- Correlate PASOE broker authentication logs against MSA session logs to identify sessions that lack a matching authentication record
- Monitor process lineage on PASOE hosts for ABL clients (_progres, prowin) connecting to local MSA endpoints
- Alert on file integrity changes within OpenEdge working directories and propath locations
- Inspect network telemetry for adjacent-subnet hosts initiating connections to PASOE agent ports
Monitoring Recommendations
- Enable verbose PASOE access logging and forward logs to a centralized SIEM for correlation
- Baseline normal MSA connection sources and alert on deviations
- Track creation of new ABL procedures and shared libraries on production OpenEdge servers
- Review database session activity for queries originating from agent contexts outside expected application flows
How to Mitigate CVE-2024-7345
Immediate Actions Required
- Upgrade Progress OpenEdge to a fixed release as identified in the Progress security advisory
- Restrict network access to PASOE MSA ports so only authorized application hosts can connect
- Audit all hosts on the same network segment as PASOE servers for unauthorized ABL client installations
- Review PASOE configuration to confirm authentication is enforced on every client connection path
Patch Information
Progress has issued fixes for OpenEdge LTS 11.7 and LTS 12.2 release lines. Customers should consult the Progress advisory for the specific fixed build numbers and upgrade guidance applicable to their deployment. Apply patches in non-production first and validate application behavior before promoting to production.
Workarounds
- Place PASOE hosts behind network segmentation that blocks adjacent-network access to MSA ports
- Limit which user accounts on the PASOE host can launch ABL clients capable of direct MSA connections
- Disable unused MSA instances to reduce the attack surface until patching is complete
- Increase audit logging on PASOE agents to capture all session activity for post-event review
# Configuration example: restrict MSA port access with host firewall (Linux iptables)
# Replace <MSA_PORT> with the configured agent port and <APP_HOST> with allowed clients
iptables -A INPUT -p tcp --dport <MSA_PORT> -s <APP_HOST> -j ACCEPT
iptables -A INPUT -p tcp --dport <MSA_PORT> -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
