Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

LoadMaster Security Vulnerability CVE-2024-1212

This article describes a LoadMaster security vulnerability that affects all LoadMaster releases after 7.2.48.1, as well as the LoadMaster Multi-Tenant (MT) VFNs. Please see CVE-2024-1212 for the official description. 

The issue: it is possible for unauthenticated, remote attackers who have access to the management interface of LoadMaster to issue a carefully crafted API command that will allow arbitrary system commands to be executed without authentication. This is therefore regarded as a critical security issue. To close the security vulnerability, you must install one of the following security patches:

LMOS Version Download Links
7.2.59.2 (GA)  7.2.59.2 update image
7.2.54.8 (LTSF)  7.2.54.8 update image 
7.2.48.10 (LTS)  7.2.48.10 update image

For more information on how to apply the patch, refer to the Progress Knowledge Base Article on how to upgrade LoadMaster. Free LoadMaster customers cannot upgrade and so must back up their current configuration, redeploy a new version that isn’t vulnerable, and then apply the backup to the redeployed system.  

In line with this announcement, we have updated our password policy. Please read the guidelines and reset your password. We are also strongly recommending that customers follow our security hardening guidelines.  

If you have any questions, concerns, or problems related to this issue, please log in to open a new Technical Support case in our customer community for assistance. Technical Support is available to all LoadMaster customers that are currently under a current support contract. For LoadMaster customers that have expired or lapsed maintenance, you can open a support ticket and request a support extension through the end of March 2024 to allow time to patch your LoadMaster(s).

Progress would like to thank Rhino Security Labs for notifying us of this issue as well as following responsible disclosure guidelines throughout this process. 


Was this article helpful?
30 out of 31 found this helpful

Comments

Avatar

Christian Fischer

Thanks for closing the Vunerability. Can i somewhere register my email for getting notified about future CVEs?

4

Avatar

Holger Grönert

Thanks from me, also. Want to know, too, how to subscribe.

1

Avatar

Mark Hoffmann

Hi Christian, Holger,

You can receive CVE notices and other Security related posts by subscribing to the Security section. In the breadcrumb links above the title of this article, click on Security to go to the Security section page. There you'll see a "Follow" button on the right side of the page so you can follow posts in this section.

Mark

4

Avatar

marco hoedt

Were are the relase notes for this version ?

9

Avatar

Your Office AnyWhere

Does preventing external access to the management interface mitigate this attack? We only allow access to the management interface from the private network and then only allow specific IPs on that network to have access.

0

Avatar

Saiya Saikaew

LoadMaster Version 7.2.53.0.20474.RELEASE.20210312-1210

which security patches support ?

0

Avatar

user user

when trying to install 7.2.54.8 (LTSF) I get a failed checksum error.

0

Avatar

Richard de Mooij

Too low on info. Must be serious when the CVE is still empty and the release notes don't exists?

0

Avatar

Mark Hoffmann

Hi All,

I'd like to respond to the queries and comments from the last few posts:

  1. Release Notes are now available for the 3 releases mentioned in this KB article. The only change to LMOS 7.2.59.2 and 7.2.54.8 is the fix for CVE-2024-1212 that closes the vulnerability. There is one additional change to note in 7.2.48.10 associated with the Network Telemetry add-on package for that release (and unrelated to the CVE).
  2. Preventing external access to the API IP:port on LoadMaster will partially mitigate this issue, should you not be able to update your LoadMaster immediately. If you are confident that only trusted personnel have this access, then this is a reasonable workaround to implement while awaiting a maintenance interval to apply the update. If you cannot guarantee that only trusted users have access to the network, it's advisable to disable access to the API entirely until the patch is applied.
  3. If you are running Version 7.2.53.0.20474.RELEASE.20210312-1210, I would recommend updating to the LTSF version 7.2.54.8. You can also upgrade to the GA version 7.2.59.2, but you should review the features and fixes made in the release in-between. This document contains a summary of release content that can help you decide.
  4. If you are experiencing checksum errors on install, please file a support ticket. I've upgraded several units to LMOS 7.2.54.8 and have not seen this problem. Perhaps it was a download issue?
  5. If you have concerns about the level of detail presented here or about mitigation options, please contact support.

Best regards, Mark

0

Avatar

Toni Pajung

Where can i see which version i am using? I can't see the distinction between GA, LTSB and LTS anywhere.

Perhabs in the future it could be indicated under home.

Best regards

0

Avatar

Mark Hoffmann

Hi Toni,

The version number of the release you're running is always shown in the top right corner of the UI, and on the UI Home page. As you have noted, whether the release is GA, LTSF, or LTS is not indicated in the release number. The corresponding version numbers are:

  • GA: 7.2.55.0 and above
  • LTSF: 7.2.54.x
  • LTS: 7.2.48.x

If you are running a release between the LTSF and LTS versions, or a release below the LTS version, we encourage you to upgrade to one of the above releases.

More information on GA/LTSF/LTS releases and selecting a release can be found in this knowledgebase article.

Mark

0

Avatar

Pavel Zlatarov

Hi,

I've upgraded my Kemp LB to 7.2.59.3.22368.RELEASE just last week. From my understanding of the info above, that one should not be vulnerable.

As of today it's again showing me a popup that there's a security vulnerability when I log in.

Why might that be?

0

Avatar

Mark Hoffmann

Hi Pavel,

I'll look into this and get back to you.
Thanks for posting about this!

Mark

0