Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

LoadMaster Security Vulnerabilities CVE-2024-2448 and CVE-2024-2449

This article describes two LoadMaster security vulnerabilities that affect all LoadMaster releases as well as the LoadMaster Multi-Tenant (MT) hypervisor. Please see CVE-2024-2448 and CVE-2024-2449 for the official descriptions. 

Currently, we have not received any reports that these vulnerabilities have been exploited and we are not aware of any direct impact to customers. However, we are encouraging all customers to upgrade their LoadMaster implementations as soon as possible to harden their environment. Make sure you are subscribed to the announcement notification via the Support Portal to receive timely notifications for important product updates.

Fix for CVE-2024-2448

A logged-in UI user with any permission settings may be able to inject commands into the UI using a shell command that will execute the command in the context of that page and only for that user. This vulnerability has been closed by enhancing the validation performed by the UI.

Fix for CVE-2024-2449

It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LM, to direct a currently logged-in administrative user to another third-party site. In such a scenario, the admin user can send HTTP requests to the UI to execute actions on LoadMaster. This vulnerability has been closed by enhancing the validation performed when CSRF checks are performed.

Update Details

To benefit from these security enhancements, customers must update to the latest Progress LoadMaster releases, as listed below:

 Product Affected Versions Patched Versions
LoadMaster From 7.2.55.0 to 7.2.59.2 (inclusive) 7.2.59.3 (GA)
XML Validation File
  From 7.2.49.0 to 7.2.54.8 (inclusive)

7.2.54.9 (LTSF)
XML Validation File

  7.2.48.10 and all prior versions 7.2.48.11 (LTS)
XML Validation File
LoadMaster MT 7.1.35.10 and all prior versions 7.1.35.11 (MT)
XML Validation File

 

Multi-Tenant LoadMaster (LoadMaster MT) is affected as follows:

  • The individual instantiated LoadMaster VNFs are vulnerable and must be patched to one of the LoadMaster versions listed above as soon as possible.
  • The hypervisor or Manager node is vulnerable; the Manager must be updated to LoadMaster MT version 7.1.35.11 to close these vulnerabilities.

For more information on how to apply the patch, refer to the Progress Knowledge Base Article on how to upgrade LoadMaster. Free LoadMaster customers cannot upgrade and so must back up their current configuration, redeploy a new version that isn’t vulnerable, and then apply the backup to the redeployed system.  

If you have any questions, concerns, or problems related to this issue, please log in to open a new Technical Support case in our customer community for assistance. Technical Support is available to all LoadMaster customers that are currently under a current support contract. For LoadMaster customers that have expired or lapsed maintenance, you can open a support ticket and request a support extension through the end of March 2024 to allow time to patch your LoadMaster(s).

Progress would like to thank Rhino Security Labs for notifying us of these issues as well as following responsible disclosure guidelines throughout this process. 


Was this article helpful?
3 out of 3 found this helpful

Comments