Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

LoadMaster Vulnerabilities

The table below is a list of the security vulnerabilities about which the LoadMaster Support Team gets the most inquires from our customers. If you have a question about a vulnerability not listed below and whether it applies to LMOS, please contact Support.

 

CVE Entry /
Internal ID
Affected
Libraries 
Fixed Version Comments
CVE-2023-38408 OpenSSH N/A

Not Vulnerable. This exploit depends upon a vulnerability in ssh-agent, which is not supported on LoadMaster.

CVE-2023-36755
CVE-2023-36754
CVE-2023-36753
CVE-2023-36752
CVE-2023-36751
CVE-2023-36750
N/A N/A

Not Vulnerable. These vulnerabilities are specific to the Siemens RUGGEDCOM ROX product and are not present on LoadMaster.

CVE-2023-36664 N/A N/A

Not Vulnerable. Ghostscript is a third party application that is not supported on LoadMaster, which is not vulnerable to this exploit.

CVE-2023-32233

Kernel N/A

Not Vulnerable. Exploitation of this vulnerability requires an elevated level of privilege that is not available on LoadMaster via the UI or a remote shell. Linux servers located behind LoadMaster remain vulnerable and there is no mitigation for this exploit that can be configured on LoadMaster. All Linux real servers should be updated with a vendor fix for the Linux kernel. 

CVE-2023-29130

N/A N/A This vulnerability is specific to the Siemens SIMATIC product; this issue is therefore not present on LoadMaster.

CVE-2023-28708

N/A N/A 

Not Vulnerable. LoadMaster doesn’t use Tomcat, so the LoadMaster itself isn’t vulnerable to this exploit.

Applications running behind LoadMaster that use Tomcat are vulnerable and should be updated with a fixed version of Tomcat. In the meantime, LoadMaster customers can take action to close this vulnerability by adding the Secure attribute to cookies coming from back-end Tomcat real servers using LoadMaster’s content rules as described here.

CVE-2023-28531

openssh N/A

Not Vulnerable. This issue affects OpenSSH versions 8.9 through 9.3. LMOS versions above 7.2.53 use OpenSSH_8.4p1.

CVE-2023-28252

N/A N/A

Not Vulnerable. This vulnerability is specific to the Windows Common Log File System, which is not supported by LoadMaster. Affected Windows servers behind LoadMaster should be updated with the latest patches from Microsoft.

CVE-2023-25948
CVE-2023-24480
CVE-2023-25770
N/A N/A Not Vulnerable. These vulnerabilities are specific to unspecified Honeywell products and are not present on LoadMaster.
CVE-2023-24329 Python N/A

Not Vulnerable. The base LMOS system doesn't include Python and so is not vulnerable.

If the Python2.7 add-on package is installed, the vulnerability cannot be exploited since LoadMaster does not implement block lists in Python. 

CVE-2023-23585
CVE-2023-24474
CVE-2023-22435
N/A N/A Not Vulnerable. These vulnerabilities are specific to the Honeywell Experion product and are not present on LoadMaster.
CVE-2023-23397 N/A N/A Not Vulnerable. This is a Microsoft Outlook specific vulnerability and does not apply to LoadMaster. No WAF rule is available to mitigate the vulnerability for servers behind LoadMaster. Microsoft's mitigation recommendations can be found here.

CVE-2023-22809

N/A N/A

Not Vulnerable. LoadMaster is a closed appliance and does not provide a general purpose login or CLI that would allow the user to execute the 'sudo -e' command.

CVE-2023-22374

N/A N/A

Not Vulnerable. This exploit leverages a defect in iControl SOAP, an open communications API, specifically on Big-IP systems from F5 Networks. LoadMaster does not use or support iControl SOAP. 

CVE-2023-20900

vmtoolsd N/A

Not Vulnerable. This is a privilege escalation vulnerability present in the SAML implementation in versions of VMtools below 12.3.0. The Vmtoolsd add-on package on LoadMaster doesn't support SAML authentication and so is not vulnerable to this exploit.

CVE-2023-3595 N/A N/A

Not Vulnerable. This exploit is specific to Adobe InCopy, which is not supported on LoadMaster.

CVE-2023-3519
CVE-2023-3467
CVE-2023-3466
N/A N/A

Not Vulnerable. These arbitrary code execution, cross-site scripting, and privilege elevation vulnerabilities exist only on Citrix Netscaler products and are unrelated to LoadMaster.

CVE-2023-2650 openssl N/A

Theoretically Vulnerable. For OpenSSL versions on LoadMaster, this vulnerability is considered low severity, and affects only the display of objects such as X.509 certificates. This can only be done via the UI and API by an already authenticated user and so is considered unlikely to cause a Denial of Service. 

CVE-2023-2156 kernel N/A

Not Vulnerable. The version of the kernel used by LoadMaster is not vulnerable to this exploit related to the RPL protocol (routing protocol for low power / lossy networks).

CVE-2023-0401 openssl N/A

Not Vulnerable. This vulnerability applies to OpenSSL 3.0.0-3.0.7 only, which is not supported on LoadMaster.

CVE-2023-0286 openssl N/A

Not Vulnerable. LoadMaster does not use any code that sets the X509_V_FLAG_CRL_CHECK flag and does not use its own network based CRL facility.

CVE-2023-0217

openssl N/A

Not Vulnerable. This vulnerability applies to OpenSSL 3.0.0-3.0.7 only, which is not supported on LoadMaster. LoadMaster also does not use the EVP_PKEY_public_check() function required to exploit this vulnerability.

CVE-2023-0216

openssl N/A

Not Vulnerable. This vulnerability applies to OpenSSL 3.0.0-3.0.7 only, which is not supported on LoadMaster. LoadMaster also does not use the PKCS7 functions required to exploit this vulnerability.

CVE-2023-0215

openssl N/A

Not Vulnerable. LoadMaster does not use the API as required to expose this vulnerability.

CVE-2022-47938
CVE-2022-47939
CVE-2022-47940
CVE-2022-47941
CVE-2022-47942
ZDI-22-1681
ZDI-22-1687
ZDI-22-1688
ZDI-22-1689
ZDI-22-1690

N/A N/A

Not Vulnerable. LoadMaster does not support the ksmbd binary and so is not vulnerable to this exploit. [Note that Linux servers configured behind LoadMaster remain vulnerable to this exploit and should be updated with the latest Linux kernel patch if they are running a vulnerable kernel release.]

CVE-2022-25636

N/A N/A

Not Vulnerable. This exploit is present in Linux kernel versions 5.4 through 5.6.10, which are not supported on LoadMaster.

CVE-2022-41040 CVE-2022-41082

N/A N/A

Not Vulnerable. LoadMaster itself is not vulnerable to these exploits; they are zero day vulnerabilities in Microsoft Exchange 2013, 2016, and 2019. There are, however, steps you can take on LoadMaster to protect your Exchange deployment from them. Please see this knowledge base article for more information. 

CVE-2022-32207 curl N/A

Not Vulnerable. While LoadMaster includes an affected version of curl in the delivered system, the curl command cannot be executed by users and cannot save data to local files.

CVE-2022-22965
CVE-2022-22963
CVE-2022-22950
N/A N/A

Not Vulnerable. LoadMaster does not use any components of the Java Spring Framework. [This is also true of the Kemp 360 Central and Vision products.]

CVE-2022-21907 N/A N/A

Partially Vulnerable. This vulnerability exploits a flaw in the Microsoft Windows Server implementation of HTTP trailer headers which may appear at the end of chunked messages. Because trailer headers are not supported on LoadMaster, non-passthrough Layer 7 services on LoadMaster are not susceptible to exploitation of this vulnerability. For passthrough services, the required remediation is to install the latest updates from Microsoft on all vulnerable servers, or turn off trailer header processing on those servers.  

CVE-2022-21449 Oracle Java SE Libraries N/A

Not Vulnerable. This is a vulnerability in the Oracle Java SE. A successful exploit of this vulnerability can result in unauthorized creation, deletion, or modification of Java SE accessible data. The Oracle Java SE is not present on LoadMaster, which is therefore not vulnerable to this attack. 

CVE-2022-4450

openssl None

Partially Vulnerable. This exploit could be leveraged only by an already authenticated administrator who could install specially crafted PEM files on LoadMaster, which could in turn cause some system processes to exit abnormally.

CVE-2022-4304

openssl None

Theoretically Vulnerable. An attacker would need to be able to capture traffic between LM and both the client and real server to get a complete dialogue; and then be able to replay a large number of similar dialogues to recover the plaintext used in a TLS session. By the time this is done, the TLS session is not likely to exist.

CVE-2022-3786
CVE-2022-3602

N/A N/A

Not Vulnerable. These CVEs describe two high-severity vulnerabilities in OpenSSL version 3.0.6. LoadMaster does not yet support OpenSSL 3 -- running version 1.1.1n as of the date that these vulnerabilities were announced -- and so is not vulnerable to these exploits. Also see this security announcement.

CVE-2022-2068
CVE-2022-1292
OpenSSL N/A

Not Vulnerable. LMOS does include an affected OpenSSL release (1.1.1 thru 1.1.n), but the c_rehash script, on which these exploits depend, is not used by LoadMaster.

CVE-2022-0847 Linux Kernel N/A

Not Vulnerable. This exploit affects specific versions of the Linux kernel only and LMOS does not use any of the vulnerable kernel versions. 

CVE-2022-0778 OpenSSL 7.2.56.2
7.2.54.4
7.2.48.7

LoadMaster is vulnerable to this exploit. The updates listed at left were released on 25 April 2022 to close this vulnerability by upgrading to the OpenSSL release where this issue is addressed (OpenSSL 1.1.1n). Please see this section for upgrade guidance.

CVE-2021-45080

N/A 7.2.54.3

It was possible for a malicious, already authenticated, privileged user to obtain unrestricted access to the VLM disk image and thereby obtain a debug password to the running system. This vulnerability has been closed.

CVE-2021-44228

N/A N/A

Not Vulnerable. The LoadMaster and GEO products are not vulnerable to this exploit, as Java is not used by either product. [Please note that the KEMP 360 Central and Kemp 360 Vision products also do not use Java.]

CVE-2021-41823

N/A N/A

LoadMaster is vulnerable to this medium-level exploit. Customers can add a custom rule to the WAF engine to block it. Please see this article.

CVE-2021-41617 OpenSSH N/A

Not Vulnerable. This exploit depends on two optional configuration options being set on the target device, neither of which can be enabled on LoadMaster.

CVE-2021-41069

N/A 7.2.55.0

Validation has been enhanced for the upload of a Virtual Service Template to the system to close a security vulnerability wherein a carefully constructed file can be uploaded as a template and create unwanted files on the filesystem.

CVE-2021-41068 N/A 7.2.55.0 The system console has been updated to close vulnerabilities present in previous releases that could allow an already authenticated user to obtain a privileged shell.

CVE-2021-36368

N/A N/A Not Vulnerable. This requires agent forwarding to be enabled on the target system and I don’t think that’s enabled on LM. Even if it is, the CVE specifically states that in order to exploit this vulnerability, “an attacker has silently modified the server to support the None authentication option”. So, the attacker would already have to possess admin credentials for the LM -- at which point there is nothing any system could do to prevent them from modifying security sensitive options. This exploit is also disputed by the vendor: "this is not an authentication bypass, since nothing is being bypassed."
CVE-2021-33910 N/A N/A Not Vulnerable. This requires the ability to install a kernel module and other programs onto the target system, which is not possible on LMOS.
CVE-2021-33909 N/A N/A Not Vulnerable. The systemd program is not present on LMOS.
CVE-2021-27876 N/A N/A Not Vulnerable. LoadMaster does not support the Veritas Backup Agent.
CVE-2021-26855 N/A N/A Not Vulnerable. Exchange servers behind LoadMaster are still vulnerable to this (and related) attacks as described by this Microsoft blog. See this LoadMaster knowledgebase article for instructions on how to configure LoadMaster to help protect vulnerable servers until they are patched.
CVE-2021-4034 N/A N/A Not Vulnerable. This exploit leverages the pkexec utility, which does not exist on LoadMaster.
CVE-2021-3711 openssl N/A Not Vulnerable. The SM2 ciphers that are the subject of this vulnerability are not supported on any release of LoadMaster.
CVE-2021-3450 openssl N/A Not Vulnerable. This vulnerability affects OpenSSL version 1.1.1h through 1.1.1j, none of which are supported on any release of LMOS. LMOS 7.2.55 supports OpenSSL 1.1.1k, which closes this vulnerability.
CVE-2021-3449 openssl LMOS 7.2.55.0
openssl 1.1.1k

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration).

In LMOS 7.2.55, OpenSSL is updated to version 1.1.1k which addresses this issue. Also see this support article.

Also note that in LMOS 7.2.55, the default setting for SSL Renegotiation is now disabled.

CVE-2021-3156 Sudoedit Linux N/A Not Vulnerable. The sudoedit program is not present on LMOS.
CVE-2021-1732 Windows NETLOGON N/A Not Vulnerable. This is Windows-only issue and does not apply to Linux-based systems like LMOS. 

CVE-2020-15778

 N/A

 N/A Not Vulnerable. LoadMaster currently runs OpenSSH version 8.4p1; this exploit occurs in 8.3p1 and earlier releases.
CVE-2020-15598 ModSecurity v3 N/A Not Vulnerable. LMOS uses the ModSecurity v2.9 release line.
CVE-2020-14145 openssh 8.4p1

Theoretically Vulnerable.

This is a medium level (5.9) “information leak” issue that could allow unauthorized users to obtain sensitive information during algorithm negotiation. This is not in itself an attack on the system; but, the information obtained could theoretically be used to mount a separate attack that leverages the leaked information. SSH on LoadMaster is not for general purpose login and best practices include locating the management endpoint for the LoadMaster on a dedicated network where only trusted personnel have access, which will mitigate this exploit.
CVE-2020-10029 Glibc N/A Not Vulnerable.
CVE-2020-8515 N/A N/A Not Vulnerable.
CVE-2020-1967 N/A N/A Not Vulnerable.
PD-13899 N/A N/A Vulnerability concerning ACLs and Real Servers. Real Servers located on networks on which LoadMaster also has an IP address are always allowed to access Virtual Services that also have an IP address on that network interface regardless of all access control list (ACL) settings on LoadMaster. For Layer 7 services, this issue can be worked around using Content Rules. The workaround for other services is to block access for local Real Servers (if desired) on another network device (firewall, switch, router, etc.).
CVE-2019-16905 openssh 7.7,7.9,
8.x-8.1
Not Vulnerable. The vulnerable experimental code is not built as part of LMOS.
CVE-2019-0190 openssl 1.1.1 Not Vulnerable. Relevant only to an Apache servers.
CVE-2019-1551 openssl 1.1.1 Not Vulnerable. This exploit requires a 512-bit random key and the default for LMOS is 2K.

CVE-2019-1549

openssl 1.1.1 Not Vulnerable.
CVE-2019-1563 openssl 1.1.1 Not Vulnerable. LMOS does not support PKCS7 or CMS and it always uses a certificate.
CVE-2019-1547 openssl 1.1.1 Not Vulnerable. LMOS only uses the libssl interface, which is indicated to be not vulnerable.

CVE-2018-15919

openssh

N/A

Not Vulnerable. This issue affects OpenSSH versions 7.8 and below. LMOS versions above 7.2.53 use OpenSSH_8.4p1.

CVE-2016-20012

 N/A

 N/A Not Vulnerable. SSH access on LoadMaster is only for local console and xroot access; no security relevant information is leaked to a malicious user using the methods described in the CVE.
CVE-2013-4786 IPMI hardware N/A

Vulnerable. This is a known issue of the IPMI protocol and affects hardware appliances from many vendors. The advice from the IPMI/BMC vendor is to locate the BMC IP address on a secure, internal network that is accessible by trusted personnel only and to use strong passwords on all BMC user logins. It is also possible to disable login to the BMC so that IPMI cannot be used to send commands to the BMC, closing this vulnerability. Please see this article for more information.

CVE-2013-4037 IPMI hardware N/A

Not Vulnerable. This issue applies only to specific hardware listed in the advisory and doesn’t affect LoadMaster.

CVE-2013-3587 Layer 7 N/A

Vulnerable. This is a vulnerability in HTTP compression that isn’t specific to LoadMaster, as documented here. Vulnerable websites typically serve dynamic web pages that also carry secret tokens that can be guessed by an attacker over repeated accesses. Best practices include, in order of effectiveness: disabling compression entirely, enabling compression only for static webpages, configuring rate limits for compressed web pages that contain secret data, and continuous log monitoring for repeated failed accesses (indicating possible attempts by attackers to guess secrets). 

CVE-2011-1473 openssl 1.x

By default, LoadMaster is not vulnerable to this exploit since renegotiation is disabled by default in 7.2.55 and above (as you noted below). With renegotiation on, LoadMaster is no more vulnerable than any other network appliance running OpenSSL 1.1.1. This CVE is listed as disputed, per this note: It can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment. Therefore, if you enable renegotiation on LM, you need to configure your back-end servers properly to limit renegotiation.

CVE-2011-5094 openssl 1.x Not Vulnerable. Mozilla NSS is not present on nor used by LoadMaster.
CVE-2003-0001 N/A N/A

Not Vulnerable. This exploit affects the Linux kernel version 2.x.x release series; LoadMaster currently (LMOS 7.2.57) runs with the 4.14.137 kernel.

 

CVE-2022-0778: Upgrade Guidance

Please locate your currently running release in the left column below and follow the action listed in the right column to close this vulnerability.

If you are currently running: Take the following action:
7.2.56.2 or later No action necessary.
7.2.55.x / 7.2.56.0 / 7.2.56.1 Update to 7.2.56.2 (or later).
7.2.54.4 through 7.2.54.x No action necessary.
7.2.49.x through 7.2.54.3 Update to 7.2.54.4 (or 7.2.56.2 or later)
7.2.48.7 through 7.2.48.x No action necessary.
7.2.48.6 or earlier Update to 7.2.48.7 (or 7.2.54.4 or 7.2.56.2 or later) 

 


Was this article helpful?
2 out of 2 found this helpful

Comments

Avatar

Chris Collins

Would be nice if we could "follow" this article for updates to it.

0