Updated September 27th 2014
As you may have seen reported elsewhere, an unauthorized disclosure of information vulnerability (dubbed “shellshock” in the press) has been discovered in the Unix Bash shell, affecting a wide variety of MAC OS X and Linux OS’s, applications and appliances. This vulnerability may allow an attacker to remotely execute malicious code and server side CGI applications by asking the system for basic information. Details on the vulnerability can be found at NIST National Vulnerability Database and RedHat’s SecurityBlog.
KEMP has confirmed that the WUI of LoadMaster is vulnerable to authenticated users (knowledge of account credentials is required). No vulnerabilities have been found with unauthenticated users. LoadMaster version 7.1-20b mitigates the vulnerability. There are a number of performance enhancements available in version 7.1-20b and this is the recommended version for customers looking to protect against the risk. Version 7.1-20b mitigates shellshock by preventing remote commands from successfully executing, even by authenticated users. As always, for any version of LoadMaster, it is strongly recommended that the management interface be protected and not exposed to the internet.
Specific to Shellshock, the non-exhaustive list below provides context around potential vectors by which the vulnerabilities could be exploited in LoadMaster. Based on ongoing improvements to LoadMaster, these were already addressed in version v7.1-16:
- There is no ability for root access to be gained via any LM account though file system read-only access can be gained with knowledge of the bal credentials. This read-only access is also modified in version 7.1-20b.
- It is not possible to pass environment variables through to the LoadMaster via SSH.
- DHCPD is not applicable because the DHCP daemon does not call any shell scripts.
Customers at LoadMaster version 7.x should patch directly to version 7.1.20b. Customers at version 6.x will first need to upgrade to version 6.0-42 before upgrading to version 7.1-20b. Installation details can be found at https://support.kemptechnologies.com/hc/en-us/articles/201294935-LoadMaster-V7-1-20b-Is-Now-Available
For additional information and alternative download versions please contact KEMP Support.
We will be continuing to monitor this vulnerability in the coming days and weeks and provide relevant updates on new developments. Please provide any suggestions and feedback you may have.
KEMP is committed to resolving security vulnerabilities carefully and quickly. If you think you have found a security flaw in a KEMP product, please send all supporting information to firstname.lastname@example.org .