Threat update

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added critical vulnerabilities in Progress Kemp LoadMaster (CVE-2024-1212) and VMware vCenter Server (CVE-2024-38812, CVE-2024-38813) to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities allow attackers to execute arbitrary commands, gain remote code execution (RCE), and escalate privileges. Continue reading this Cybersecurity Threat Advisory to reduce your risk of exploitation from these vulnerabilities. 

Technical Detail and Additional Info

What is the threat?

Progress Kemp LoadMaster is impacted by CVE-2024-1212, a critical OS command injection vulnerability (CVSS score: 10.0). An unauthenticated attacker can exploit this flaw via the management interface to execute arbitrary commands, leading to complete control over the load balancer.

Similarly, VMware vCenter Server is affected by two flaws:

• CVE-2024-38812 (CVSS score: 9.8) is a heap overflow vulnerability in the DCERPC protocol that enables RCE with network access.
• CVE-2024-38813 (CVSS score: 7.5) is a privilege escalation flaw that allows attackers to elevate privileges to root-level access.

Both of these vulnerabilities were patched earlier but further fixes are required for CVE-2024-38812 due to incomplete remediation. 

Why is it noteworthy?

These vulnerabilities pose a significant risk due to their critical nature, high CVSS scores, and active exploitation by threat actors. The inclusion of CVE-2024-1212 in CISA's Known Exploited Vulnerabilities (KEV) catalog, coupled with reports of ongoing exploitation of VMware vCenter vulnerabilities by multiple threat groups, heightens the threat to users of VMware vCenter. The potential for attackers to gain full control over vital infrastructure, such as load balancers and virtualization platforms, could lead to severe operational disruptions. This is particularly alarming for organizations that rely on these systems to maintain high-availability environments.

What is the exposure or risk?

Exploitation of these flaws can grant attackers full control over critical systems such as load balancers and virtualization platforms, disrupting operational workflows, and compromising business continuity. Attackers may leverage these vulnerabilities to exfiltrate sensitive data or introduce ransomware, leading to financial and reputational damages. Furthermore, the exploitation allows adversaries to escalate privileges and move laterally within networks, increasing the scope of compromise. Publicly exposed systems running unpatched versions are particularly vulnerable, and the consequences can cascade across interconnected systems, jeopardizing organizational security and critical infrastructure reliability. 

What are the recommendations?

 LBT Technology Group strongly recommends organizations take these steps to reduce the risk of exploitation and protect their critical infrastructure:

1. Install updates for Progress Kemp LoadMaster and VMware vCenter Server to address CVE-2024-1212, CVE-2024-38812, and CVE-2024-38813.
2. Restrict access to management interfaces and use multi-factor authentication (MFA) for additional protection.
3. Reduce public-facing endpoints by placing critical infrastructure behind secure VPNs or firewalls.
4. Implement monitoring for unusual access or command execution activity, especially on systems running DCERPC or administrative services.
5. Enforce segmentation and deploy intrusion detection systems to minimize the blast radius of a successful attack.
6. Regularly audit systems for vulnerabilities and train IT teams to identify and respond to active exploits.

References

 For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact LBT's Sales Engineer.