Progress Software has issued an emergency fix for a maximum (10/10) severity vulnerability impacting its LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products that allows attackers to remotely execute commands on the device.
The flaw, tracked as CVE-2024-7591, is categorized as an improper input validation problem allowing an unauthenticated, remote attacker to access LoadMaster’s management interface using a specially crafted HTTP request.
However, the lack of user input sanitization could also allow the attacker to execute arbitrary system commands on vulnerable endpoints.
"It is possible for unauthenticated, remote attackers who have access to the management interface of LoadMaster to issue a carefully crafted HTTP request that will allow arbitrary system commands to be executed," reads the security bulletin.
"This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands execution."
LoadMaster is an application delivery controller (ADC) and load balancing solution used by large organizations for optimizing app performance, managing network traffic, and ensuring high service availability.
The MT Hypervisor is a version of LoadMaster designed for multi-tenant environments, allowing multiple virtual network functions to run on the same hardware.
CVE-2024-7591 was found to impact LoadMaster version 7.2.60.0 and all previous versions, and also the MT Hypervisor version 7.1.35.11 and all prior releases. Long-Term Support (LTS) and Long-Term Support with Feature (LTSF) branches are also impacted.
To fix the flaw, Progress released an add-on package that can be installed on any of the vulnerable versions, including older releases, so there’s no target versions to upgrade to in order to address the risk from this vulnerability.
However, the patch does not apply to the free version of LoadMaster, so CVE-2024-7591 remains a problem there.
Progress Software says it has not received any reports of active exploitation for the vulnerability as of the publication of its bulletin.
Nevertheless, all LoadMaster users are recommended to take the appropriate action to secure their environment against this possibility, including installing the add-on and also implementing the vendor-recommended security hardening measures.
Related Articles:
Apache fixes critical OFBiz remote code execution vulnerability
Veeam warns of critical RCE flaw in Backup & Replication software
D-Link says it is not fixing four RCE flaws in DIR-846W routers
SolarWinds fixes critical RCE bug affecting all Web Help Desk versions
Cisco warns of critical RCE zero-days in end of life IP phones
Original Article Published at Bleeping Computer
________________________________________________________________________________________________________________________________
