Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

ECS Connection Manager Security Vulnerabilities CVE-2024-2448 and CVE-2024-2449

This article describes two ECS Connection Manager (ECS CM) security vulnerabilities that affect all prior firmware releases. Please see CVE-2024-2448 and CVE-2024-2449 for the official descriptions. 

Currently, we have not received any reports that this vulnerability has been exploited and we are not aware of any direct impact to customers. However, we are encouraging all customers to upgrade their ECS Connection Manager implementations as soon as possible to harden their environment. Make sure you are subscribed to the announcement notification via the Support Portal to receive timely notifications for important product updates.

Fix for CVE-2024-2448

A logged-in UI user with any permission settings may be able to inject commands into the UI using a shell command that will execute the command in the context of that page and only for that user. This vulnerability has been closed by enhancing the validation performed by the UI.

Fix for CVE-2024-2449

It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific deployment, to direct a currently logged-in administrative user to another third-party site. In such a scenario, the admin user can send HTTP requests to the UI to execute actions on ECS Connection Manager. This vulnerability has been closed by enhancing the validation performed when CSRF checks are performed.

Update Details

To benefit from these security enhancements, customers must update to one of the latest ECS Connection Manager releases listed below:

Affected Releases Patched Releases through (GA) Firmware
XML Validation File

For more information on how to apply the patch, refer to the Progress Knowledge Base Article on how to upgrade LoadMaster. Free LoadMaster customers cannot upgrade and so must back up their current configuration, redeploy a new version that isn’t vulnerable, and then apply the backup to the redeployed system.  

If you have any questions, concerns, or problems related to this issue, please log in to open a new Technical Support case in our customer community for assistance. Technical Support is available to all LoadMaster customers that are currently under a current support contract. For LoadMaster customers that have expired or lapsed maintenance, you can open a support ticket and request a support extension through the end of March 2024 to allow time to patch your LoadMaster(s).

Progress would like to thank Rhino Security Labs for notifying us of these vulnerabilities as well as for following responsible disclosure guidelines throughout this process. 

Was this article helpful?
0 out of 0 found this helpful