LoadMaster Vulnerabilities

CVE-2023-32233

Not Vulnerable. Exploitation of this vulnerability requires an elevated level of privilege that is not available on LoadMaster via the UI or a remote shell. Linux servers located behind LoadMaster remain vulnerable and there is no mitigation for this exploit that can be configured on LoadMaster. All Linux real servers should be updated with a vendor fix for the Linux kernel. 

CVE-2023-28708

Not Vulnerable. LoadMaster doesn’t use Tomcat, so the LoadMaster itself isn’t vulnerable to this exploit.

Applications running behind LoadMaster that use Tomcat are vulnerable and should be updated with a fixed version of Tomcat. In the meantime, LoadMaster customers can take action to close this vulnerability by adding the Secure attribute to cookies coming from back-end Tomcat real servers using LoadMaster’s content rules as described here.

CVE-2023-22809

Not Vulnerable. LoadMaster is a closed appliance and does not provide a general purpose login or CLI that would allow the user to execute the 'sudo -e' command.

CVE-2023-22374

Not Vulnerable. This exploit leverages a defect in iControl SOAP, an open communications API, specifically on Big-IP systems from F5 Networks. LoadMaster does not use or support iControl SOAP. 

Not Vulnerable. This vulnerability applies to OpenSSL 3.0.0-3.0.7 only, which is not supported on LoadMaster.

Not Vulnerable. The version of the kernel used by LoadMaster is not vulnerable to this exploit related to the RPL protocol (routing protocol for low power / lossy networks).

Not Vulnerable. LoadMaster does not use any code that sets the X509_V_FLAG_CRL_CHECK flag and does not use its own network based CRL facility.

CVE-2023-0217

Not Vulnerable. This vulnerability applies to OpenSSL 3.0.0-3.0.7 only, which is not supported on LoadMaster. LoadMaster also does not use the EVP_PKEY_public_check() function required to exploit this vulnerability.

CVE-2023-0216

Not Vulnerable. This vulnerability applies to OpenSSL 3.0.0-3.0.7 only, which is not supported on LoadMaster. LoadMaster also does not use the PKCS7 functions required to exploit this vulnerability.

CVE-2023-0215

Not Vulnerable. LoadMaster does not use the API as required to expose this vulnerability.

CVE-2022-25636

Not Vulnerable. This exploit is present in Linux kernel versions 5.4 through 5.6.10, which are not supported on LoadMaster.

CVE-2022-47938
CVE-2022-47939
CVE-2022-47940
CVE-2022-47941
CVE-2022-47942
ZDI-22-1681
ZDI-22-1687
ZDI-22-1688
ZDI-22-1689
ZDI-22-1690

Not Vulnerable. LoadMaster does not support the ksmbd binary and so is not vulnerable to this exploit. [Note that Linux servers configured behind LoadMaster remain vulnerable to this exploit and should be updated with the latest Linux kernel patch if they are running a vulnerable kernel release.]

CVE-2022-4450

Partially Vulnerable. This exploit could be leveraged only by an already authenticated administrator who could install specially crafted PEM files on LoadMaster, which could in turn cause some system processes to exit abnormally.

CVE-2022-4304

Theoretically Vulnerable. An attacker would need to be able to capture traffic between LM and both the client and real server to get a complete dialogue; and then be able to replay a large number of similar dialogues to recover the plaintext used in a TLS session. By the time this is done, the TLS session is not likely to exist.

CVE-2022-3786
CVE-2022-3602

Not Vulnerable. These CVEs describe two high-severity vulnerabilities in OpenSSL version 3.0.6. LoadMaster does not yet support OpenSSL 3 -- running version 1.1.1n as of the date that these vulnerabilities were announced -- and so is not vulnerable to these exploits. Also see this security announcement.

CVE-2022-41040 CVE-2022-41082

LoadMaster itself is not vulnerable to these exploits; they are zero day vulnerabilities in Microsoft Exchange 2013, 2016, and 2019. There are, however, steps you can take on LoadMaster to protect your Exchange deployment from them. Please see this knowledge base article for more information. 

Not Vulnerable. LoadMaster does not use any components of the Java Spring Framework. [This is also true of the Kemp 360 Central and Vision products.]

Partially Vulnerable. This vulnerability exploits a flaw in the Microsoft Windows Server implementation of HTTP trailer headers which may appear at the end of chunked messages. Because trailer headers are not supported on LoadMaster, non-passthrough Layer 7 services on LoadMaster are not susceptible to exploitation of this vulnerability. For passthrough services, the required remediation is to install the latest updates from Microsoft on all vulnerable servers, or turn off trailer header processing on those servers.  

Not Vulnerable. This is a vulnerability in the Oracle Java SE. A successful exploit of this vulnerability can result in unauthorized creation, deletion, or modification of Java SE accessible data. The Oracle Java SE is not present on LoadMaster, which is therefore not vulnerable to this attack. 

Not Vulnerable. This exploit affects specific versions of the Linux kernel only and LMOS does not use any of the vulnerable kernel versions. 

LoadMaster is vulnerable to this exploit. The updates listed at left were released on 25 April 2022 to close this vulnerability by upgrading to the OpenSSL release where this issue is addressed (OpenSSL 1.1.1n). Please see this section for upgrade guidance.

CVE-2021-45080

It was possible for a malicious, already authenticated, privileged user to obtain unrestricted access to the VLM disk image and thereby obtain a debug password to the running system. This vulnerability has been closed.

CVE-2021-44228

Not Vulnerable. The LoadMaster and GEO products are not vulnerable to this exploit, as Java is not used by either product. [Please note that the KEMP 360 Central and Kemp 360 Vision products also do not use Java.]

CVE-2021-41823

LoadMaster is vulnerable to this medium-level exploit. Customers can add a custom rule to the WAF engine to block it. Please see this article.

CVE-2021-41069

Validation has been enhanced for the upload of a Virtual Service Template to the system to close a security vulnerability wherein a carefully constructed file can be uploaded as a template and create unwanted files on the filesystem.

CVE-2021-36368

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration).

In LMOS 7.2.55, OpenSSL is updated to version 1.1.1k which addresses this issue. Also see this support article.

Also note that in LMOS 7.2.55, the default setting for SSL Renegotiation is now disabled.

CVE-2020-15778

CVE-2019-1549

CVE-2016-20012

By default, LoadMaster is not vulnerable to this exploit since renegotiation is disabled by default in 7.2.55 and above (as you noted below). With renegotiation on, LoadMaster is no more vulnerable than any other network appliance running OpenSSL 1.1.1. This CVE is listed as disputed, per this note: It can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment. Therefore, if you enable renegotiation on LM, you need to configure your back-end servers properly to limit renegotiation.

Not Vulnerable. This exploit affects the Linux kernel version 2.x.x release series; LoadMaster currently (LMOS 7.2.57) runs with the 4.14.137 kernel.