The Information Highway

The Information Highway
Font size: +
  Print
2 minutes reading time (334 words)

Progress LoadMaster vulnerable to 10/10 severity RCE flaw

43 Hits

Progress Software has issued an emergency fix for a maximum (10/10) severity vulnerability impacting its LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products that allows attackers to remotely execute commands on the device.

The flaw, tracked as CVE-2024-7591, is categorized as an improper input validation problem allowing an unauthenticated, remote attacker to access LoadMaster's management interface using a specially crafted HTTP request.

However, the lack of user input sanitization could also allow the attacker to execute arbitrary system commands on vulnerable endpoints.

"It is possible for unauthenticated, remote attackers who have access to the management interface of LoadMaster to issue a carefully crafted HTTP request that will allow arbitrary system commands to be executed," reads the security bulletin.

"This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands execution."

LoadMaster is an application delivery controller (ADC) and load balancing solution used by large organizations for optimizing app performance, managing network traffic, and ensuring high service availability.

The MT Hypervisor is a version of LoadMaster designed for multi-tenant environments, allowing multiple virtual network functions to run on the same hardware. 

CVE-2024-7591 was found to impact LoadMaster version 7.2.60.0 and all previous versions, and also the MT Hypervisor version 7.1.35.11 and all prior releases. Long-Term Support (LTS) and Long-Term Support with Feature (LTSF) branches are also impacted.

To fix the flaw, Progress released an add-on package that can be installed on any of the vulnerable versions, including older releases, so there's no target versions to upgrade to in order to address the risk from this vulnerability.

However, the patch does not apply to the free version of LoadMaster, so CVE-2024-7591 remains a problem there.

Progress Software says it has not received any reports of active exploitation for the vulnerability as of the publication of its bulletin.

Nevertheless, all LoadMaster users are recommended to take the appropriate action to secure their environment against this possibility, including installing the add-on and also implementing the vendor-recommended security hardening measures.

0
How do you feel about this post?
Happy (0)
Love (0)
Surprised (0)
Sad (0)
Angry (0)
Tags:
Progress Software (10/10) severity vulnerability impacting LoadMaster LoadMaster Multi-Tenant Hypervisor products
Microsoft to start force-upgrading Windows 22H2 sy...
New RAMBO attack steals data using RAM in air-gapp...

About the author

Bill Toulas

Bill Toulas

Bill Toulas is a technology writer and infosec news reporter with over a decade of experience working on various online publications. An open source advocate and Linux enthusiast, is currently finding pleasure in following hacks, malware campaigns, and data breach incidents, as well as by exploring the intricate ways through which tech is swiftly transforming our lives.
Author's recent posts
More posts from author
 

Comments

No comments made yet. Be the first to submit a comment
Tuesday, 17 September 2024

Captcha Image