Mitigation for Remote Access Execution Vulnerability

Summary

KEMP Advisory ID: kemp-lmos-20182003-remote-access-execution

First Published: 2018 March 22

Last Updated: 2018 April 5

Workarounds: Yes

CVE: CVE-2018-9091

Impacted Functional Area: WUI Authentication with Session Management Enabled

 

A critical vulnerability in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthenticated, remote attacker to bypass security protections, gain system privileges and execute elevated commands such as ls, ps, cat, etc., thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys and other information may be possible.

 

2018 April 05 Update
Expanded Scope: The scope of this vulnerability has been expanded as follows: In certain cases,
it is also exploitable through the injection of arbitrary executable commands in cookies that are
being passed back to the LoadMaster.

 

Affected Products

The following products are affected by this vulnerability:

LoadMasters running LMOS versions 6.0.44 – 7.2.41.1

2018 April 05 Update
Expanded Scope: The expanded scope of the vulnerability impacts LoadMasters running
mainstream LMOS versions 6.0.44 -7.2.41.2

Products Not Affected

The following products are not affected by this vulnerability:

  • LoadMasters running mainstream LMOS version 7.2.41.2 or higher
  • LoadMasters running Long Term Support (LTS) LMOS version 7.1.35.5
  • LoadMasters running mainstream LMOS version 6.0.42 or lower.
  • All versions of KEMP 360 Central

2018 April 05 Update
Expanded Scope: LoadMasters running LMOS version 7.2.42 or higher are not affected by the
2018 April 3rd expanded scope of this vulnerability.

 

Workarounds

Upgrade to mainstream LMOS version 7.2.42.0 or Long Term Support (LTS) LMOS version 7.1.35.6.

 

In the event that timely mitigation of the remote access execution vulnerability by patching is not possible please see the following guidelines for limiting access to the LoadMaster's administrative interface.

Since the vulnerability impacts WUI Authentication with Session Management enabled, one alternative to patching would be to disable Session Management. Under Certificates and Security > Admin WUI Access uncheck the box for Enable Session Management. 

Disabling Session Management will revert the LoadMaster to Basic Authentication only by the "bal" user and other local users configured under User Management. Be sure that the "bal" user or other local user credentials, with appropriate access, are known before disabling Session Management.

Customers using Kemp 360 Vision and/or Kemp 360 Central may not want to disable Session Management because this feature is a functional requirement. In this case the following steps can be taken to limit access to the LoadMaster's administrative interface.

Dedicate a VLAN or Interface for management traffic that is isolated from any VLAN or interface use for virtual service traffic.

Remove management traffic from all other interfaces. Under Certificates and Security > Remote Access ensure that the dedicated VLAN or interface is selected from the Allow Web Administrative Access drop down menu. Ensure that the Allow Multi Interface Access checkbox is unchecked.

Use aggressive subnet masking to further limit the size of the subnet.

Use a firewall to separate the management subnet from any other networks and setup aggressive ACL's on the firewall to limit access to only management workstations.

Any questions regarding limiting access to the LoadMaster's administrative interface or any questions or issues relating to authentication should be directed to the Kemp Customer Support team here.

 

Fixed Software

Notice of Update Per 2018 April 05 Expanded Scope: As it’s recommended to upgrade to
mainstream LMOS version 7.2.42 or LTS LMOS version 7.1.35.6 to address the expanded scope
of this vulnerability, the download links in the following section have been updated.

Mainstream LMOS

LMOS version 7.2.42.0 which is available here.

 

Long Term Support (LTS) LMOS

For customers running our Long Term Support (LTS) version of LoadMaster, this vulnerability is addressed in LMOS version 7.1.35.6 which is available here.

 

All customers with an active Support Subscription contract for their LoadMaster products are entitled to access this security hotfix.

 

Note: Please follow the appropriate upgrade procedure based on the current LMOS version you are running.  More information about upgrading can be found at the following link.

 

If you are using the product with one of the affected versions of LMOS and are currently out of support, please refer to the following article for instructions on upgrading your product(s).

Mitigation for Remote Access Execution Vulnerability - Out of Support

Upgrades are recommended to be completed outside normal business hours.

 

Exploitation and Public Announcements

The KEMP Security Response Team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

 

Source

The vulnerability was identified in conjunction with a third party penetration testing service provider.

 

URL
https://support.kemptechnologies.com/hc/en-us/articles/360001982452-Mitigation-for-
Remote-Access-Execution-Vulnerability

 

Customer Support

Requests for assistance with mitigating this vulnerability can be submitted to KEMP Customer Support Here

 

Revision History

Version

Description

Section

Status

Date

1.0

Initial public release

 

Final

2018-March-22

 1.1

 Added CVE details

 Summary

 Addition

 2018-March-28

 1.2

 Added expanded scope to vulnerability

Added ‘URL’ Section

Updated guidance to upgrade to
LMOS versions 7.2.42 or 7.1.35.6
to cover expanded scope

 All Sections Excluding the Following:

‘Exploitation and Public Announcements’

‘Source’

‘Customer Support’

 Addition

2018-April-05

 

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. KEMP TECHNOLOGIES RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

 

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of KEMP products.

Was this article helpful?

0 out of 0 found this helpful

Comments

Avatar
James Rago Global Support Manager

Some links were broken. These have now been fixed.