On November 12, support.kemptechnologies.com will be migrating to the Progress Community.

Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

ECS Connection Manager Security Vulnerabilities CVE-2024-3544 and CVE-2024-3543

This article describes ECS Connection Manager (ECS CM) security vulnerabilities that affect all ECS CM releases. Please see CVE-2024-3544 and CVE-2024-3543 for the official descriptions.

Currently, we have not received any reports that these vulnerabilities have been exploited and we are not aware of any direct impact to customers. However, we are encouraging all customers to upgrade their ECS CM implementations as soon as possible to harden their environment. Make sure you are subscribed to the announcement notification via the Support Portal to receive timely notifications for important product updates.

This notification provides a brief description of these vulnerabilities and the related enhancements made in the affected releases.

Fix for CVE-2024-3544

The SSH private keys used for nodes authentication can be found in the virtual machine’s ‘rootfs’ distributed by the manufacturer. Unauthenticated attackers can perform actions, using those keys, by knowing the IP address and having access to the same network of one of the machines in the HA or Cluster group. This vulnerability has been closed by enhancing LoadMaster partner communications to require a shared secret that must be exchanged between the partners before communication can proceed. The new Partner Communications shared secret parameter is located on the  Certificates & Security > Remote Access page of the UI.

Fix for CVE-2024-3543

Use of reversible password encryption algorithm allows attackers to decrypt passwords obtained with the attack described above in CVE-2024-3544. Sensitive information can be easily unencrypted by the attacker, stolen credentials can be used for arbitrary actions to corrupt the system. This vulnerability has been closed by closing the CVE-2024-3544 vulnerability.

Update Details

To benefit from these security enhancements, customers must update to the following ECS Connection Manager release (or a later release):

Affected Releases Patched Releases
7.2.59.3 and earlier 7.2.59.4 GA Firmware
XML Validation File

For more information on how to apply the security patch, refer to the Progress Knowledge Base article on how to upgrade.

We strongly recommend that customers follow our security hardening guidelines. If you have any questions, concerns or problems related to this issue, please log in to open a new Technical Support case in our customer community for assistance. Technical Support is available to all ECS CM customers under a current support contract.


Was this article helpful?
0 out of 0 found this helpful

Comments