LoadMaster Security Vulnerability CVE-2024-1212
This article describes a LoadMaster security vulnerability that affects all LoadMaster releases after 7.2.48.1, as well as the LoadMaster Multi-Tenant (MT) VFNs. Please see CVE-2024-1212 for the official description.
The issue: it is possible for unauthenticated, remote attackers who have access to the management interface of LoadMaster to issue a carefully crafted API command that will allow arbitrary system commands to be executed without authentication. This is therefore regarded as a critical security issue. To close the security vulnerability, you must install one of the following security patches:
LMOS Version | Download Links |
7.2.59.2 (GA) | 7.2.59.2 update image |
7.2.54.8 (LTSF) | 7.2.54.8 update image |
7.2.48.10 (LTS) | 7.2.48.10 update image |
For more information on how to apply the patch, refer to the Progress Knowledge Base Article on how to upgrade LoadMaster. Free LoadMaster customers cannot upgrade and so must back up their current configuration, redeploy a new version that isn’t vulnerable, and then apply the backup to the redeployed system.
In line with this announcement, we have updated our password policy. Please read the guidelines and reset your password. We are also strongly recommending that customers follow our security hardening guidelines.
If you have any questions, concerns, or problems related to this issue, please log in to open a new Technical Support case in our customer community for assistance. Technical Support is available to all LoadMaster customers that are currently under a current support contract. For LoadMaster customers that have expired or lapsed maintenance, you can open a support ticket and request a support extension through the end of March 2024 to allow time to patch your LoadMaster(s).
Progress would like to thank Rhino Security Labs for notifying us of this issue as well as following responsible disclosure guidelines throughout this process.
Comments
Thanks from me, also. Want to know, too, how to subscribe.
Hi Christian, Holger,
You can receive CVE notices and other Security related posts by subscribing to the Security section. In the breadcrumb links above the title of this article, click on Security to go to the Security section page. There you'll see a "Follow" button on the right side of the page so you can follow posts in this section.
Mark
Were are the relase notes for this version ?
Does preventing external access to the management interface mitigate this attack? We only allow access to the management interface from the private network and then only allow specific IPs on that network to have access.
LoadMaster Version | 7.2.53.0.20474.RELEASE.20210312-1210 |
which security patches support ?
when trying to install 7.2.54.8 (LTSF) I get a failed checksum error.
Too low on info. Must be serious when the CVE is still empty and the release notes don't exists?
Hi All,
I'd like to respond to the queries and comments from the last few posts:
- Release Notes are now available for the 3 releases mentioned in this KB article. The only change to LMOS 7.2.59.2 and 7.2.54.8 is the fix for CVE-2024-1212 that closes the vulnerability. There is one additional change to note in 7.2.48.10 associated with the Network Telemetry add-on package for that release (and unrelated to the CVE).
- Preventing external access to the API IP:port on LoadMaster will partially mitigate this issue, should you not be able to update your LoadMaster immediately. If you are confident that only trusted personnel have this access, then this is a reasonable workaround to implement while awaiting a maintenance interval to apply the update. If you cannot guarantee that only trusted users have access to the network, it's advisable to disable access to the API entirely until the patch is applied.
- If you are running Version 7.2.53.0.20474.RELEASE.20210312-1210, I would recommend updating to the LTSF version 7.2.54.8. You can also upgrade to the GA version 7.2.59.2, but you should review the features and fixes made in the release in-between. This document contains a summary of release content that can help you decide.
- If you are experiencing checksum errors on install, please file a support ticket. I've upgraded several units to LMOS 7.2.54.8 and have not seen this problem. Perhaps it was a download issue?
- If you have concerns about the level of detail presented here or about mitigation options, please contact support.
Best regards, Mark
Where can i see which version i am using? I can't see the distinction between GA, LTSB and LTS anywhere.
Perhabs in the future it could be indicated under home.
Best regards
Hi Toni,
The version number of the release you're running is always shown in the top right corner of the UI, and on the UI Home page. As you have noted, whether the release is GA, LTSF, or LTS is not indicated in the release number. The corresponding version numbers are:
- GA: 7.2.55.0 and above
- LTSF: 7.2.54.x
- LTS: 7.2.48.x
If you are running a release between the LTSF and LTS versions, or a release below the LTS version, we encourage you to upgrade to one of the above releases.
More information on GA/LTSF/LTS releases and selecting a release can be found in this knowledgebase article.
Mark
Hi,
I've upgraded my Kemp LB to 7.2.59.3.22368.RELEASE just last week. From my understanding of the info above, that one should not be vulnerable.
As of today it's again showing me a popup that there's a security vulnerability when I log in.
Why might that be?
Hi Pavel,
I'll look into this and get back to you.
Thanks for posting about this!
Mark
Same here. I have upgraded but still getting the pop-up message...
Same thing happened to me upgrading to 7.2.59.4
Looks like we had to upgrade the VMware Tools add-on also
I am also getting a notice that I am vulnerable to this CVE. I am on 7.2.59.4.22455.
Christian Fischer
Thanks for closing the Vunerability. Can i somewhere register my email for getting notified about future CVEs?