Article Details
Scrape Timestamp (UTC): 2024-09-08 14:16:24.391
Original Article Text
Click to Toggle View
Progress LoadMaster vulnerable to 10/10 severity RCE flaw. Progress Software has issued an emergency fix for a maximum (10/10) severity vulnerability impacting its LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products that allows attackers to remotely execute commands on the device. The flaw, tracked as CVE-2024-7591, is categorized as an improper input validation problem allowing an unauthenticated, remote attacker to access LoadMaster’s management interface using a specially crafted HTTP request. However, the lack of user input sanitization could also allow the attacker to execute arbitrary system commands on vulnerable endpoints. "It is possible for unauthenticated, remote attackers who have access to the management interface of LoadMaster to issue a carefully crafted HTTP request that will allow arbitrary system commands to be executed," reads the security bulletin. "This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands execution." LoadMaster is an application delivery controller (ADC) and load balancing solution used by large organizations for optimizing app performance, managing network traffic, and ensuring high service availability. The MT Hypervisor is a version of LoadMaster designed for multi-tenant environments, allowing multiple virtual network functions to run on the same hardware. CVE-2024-7591 was found to impact LoadMaster version 7.2.60.0 and all previous versions, and also the MT Hypervisor version 7.1.35.11 and all prior releases. Long-Term Support (LTS) and Long-Term Support with Feature (LTSF) branches are also impacted. To fix the flaw, Progress released an add-on package that can be installed on any of the vulnerable versions, including older releases, so there’s no target versions to upgrade to in order to address the risk from this vulnerability. However, the patch does not apply to the free version of LoadMaster, so CVE-2024-7591 remains a problem there. Progress Software says it has not received any reports of active exploitation for the vulnerability as of the publication of its bulletin. Nevertheless, all LoadMaster users are recommended to take the appropriate action to secure their environment against this possibility, including installing the add-on and also implementing the vendor-recommended security hardening measures.
Daily Brief Summary
Progress Software has released an emergency patch for a critical vulnerability in LoadMaster products, rated 10/10 in severity.
The vulnerability, identified as CVE-2024-7591, allows unauthenticated remote attackers to execute arbitrary system commands via a specially crafted HTTP request.
This security issue stems from improper input validation in the device's management interface, which lacked proper sanitization.
Affected products include LoadMaster version 7.2.60.0 and prior, as well as MT Hypervisor version 7.1.35.11 and earlier.
The vulnerability impacts not only standard versions but also long-term support variants, although free versions remain vulnerable as no patch is applicable.
Despite no current reports of exploitation, Progress Software advises all users to apply the emergency patch and follow recommended security practices.
LoadMaster is widely used in large organizations for application performance optimization, load balancing, and network traffic management.