Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

LoadMaster Security Vulnerabilities CVE-2024-3544 and CVE-2024-3543

This article describes LoadMaster security vulnerabilities that affects all LoadMaster releases as well as the LoadMaster Multi-Tenant (MT) hypervisor. Please see CVE-2024-3544 and CVE-2024-3543 for the official descriptions.

Currently, we have not received any reports that these vulnerabilities have been exploited and we are not aware of any direct impact to customers. However, we are encouraging all customers to upgrade their LoadMaster implementations as soon as possible to harden their environment. Make sure you are subscribed to the announcement notification via the Support Portal to receive timely notifications for important product updates.

This notification provides a brief description of these vulnerabilities and the related enhancements made in the affected releases.

Fix for CVE-2024-3544

The SSH private keys used for nodes authentication can be found in the virtual machine’s ‘rootfs’ distributed by the manufacturer. Unauthenticated attackers can perform actions, using those keys, by knowing the IP address and having access to the same network of one of the machines in the HA or Cluster group. This vulnerability has been closed by enhancing LoadMaster partner communications to require a shared secret that must be exchanged between the partners before communication can proceed. The new Partner Communications shared secret parameter is located on the  Certificates & Security > Remote Access page of the UI.

Fix for CVE-2024-3543

Use of reversible password encryption algorithm allows attackers to decrypt passwords obtained with the attack described above in CVE-2024-3544. Sensitive information can be easily unencrypted by the attacker, stolen credentials can be used for arbitrary actions to corrupt the system. This vulnerability has been closed by closing the CVE-2024-3544 vulnerability.

Update Details

To benefit from these security enhancements, customers must update to the latest Progress LoadMaster releases, as listed below:

 Product Affected Versions Patched Versions
LoadMaster From 7.2.55.0 to 7.2.59.3 (inclusive) 7.2.59.4 (GA)
XML Validation File
  From 7.2.49.0 to 7.2.54.9 (inclusive)

7.2.54.10 (LTSF)
XML Validation File

  7.2.48.11 and all prior versions 7.2.48.12 (LTS)
XML Validation File

Multi-Tenant LoadMaster (LoadMaster MT) is also affected, as follows:

  • The individual instantiated LoadMaster VNFs are vulnerable and must be patched to one of the LMOS versions listed above as soon as possible.
  • Note that the MT hypervisor or Manager node is not vulnerable and doesn’t need to be updated.

For more information on how to apply the security patches above, refer to the Progress Knowledge Base article on how to upgrade LoadMaster.

We strongly recommend that customers follow our security hardening guidelines. If you have any questions, concerns or problems related to this issue, please log in to open a new Technical Support case in our customer community for assistance. Technical Support is available to all LoadMaster customers under a current support contract.


Was this article helpful?
3 out of 3 found this helpful

Comments

Avatar

Admin Informatique

the "how to upgrade LoadMaster." link is broken

1

Avatar

Jake Whelan

Hi Admin Informatique,

Thank you for your comment. We have checked the "how to upgrade LoadMaster." link and it is redirecting to our technical note for upgrading the LoadMaster firmware as expected (https://docs.progress.com/bundle/loadmaster-technical-note-updating-the-loadmaster-software-ga/page/Introduction.html).

If you require any assistance upgrading the firmware, please open a support ticket and we would be happy to help!

Best regards,

Jake

0

Avatar

Kevin Bergamo

In the Loadmaster vulnerabilities page (LoadMaster Vulnerabilities – Kemp Support (kemptechnologies.com) is stated that these CVEs are affecting  the API libraries.

Does it mean that if API interface is disabled as Remote Access option,  then the Loadmaster is not vulnerable to these CVEs?

Thanks

0

Avatar

Tebogo Johnson

when preshared key is not enabled will load master still fail over to the secondary device?

0

Avatar

Mark Hoffmann

Hello -- I'm responding here to the previous two posts:

W.r.t. Kevin Bergamo's question about shutting of API access: this action doesn't mitigate the vulnerability, which is only closed by upgrading to one of the listed versions (or above) and setting the partner communications shared secret.

W.r.t. Tebogo Johnson's question: Yes, HA and Clustering will work as expected without the shared secret being set, as in previous releases that do not support the shared secret. Be aware, however, that not setting the shared secret leaves the system vulnerable to the CVEs listed above.

Best regards,

Mark

0