A major security flaw, known as CVE-2024-1212, has been discovered in the Progress Kemp LoadMaster. This vulnerability enables unauthorized attackers to run system commands through the LoadMaster management interface without authentication. This vulnerability has been given the highest severity rating, scoring a 10.0 on the CVSS scale, placing users at important risk of exploitation.
Exploited vulnerability in LoadMaster puts networks at risk — Are you patched yet?
Rhino Security Labs has announced that a vulnerability in the LoadMaster API’s implementation allows pre-authentication command injections. For those who are not familiar with it, the LoadMaster is a type of load balancer available in various versions, with a free option that is popularly used. The problem arises when API requests are made to the ‘ /access’ and ‘ /accessv2’ endpoints. The min-httpd server processes requests in a manner that enables attacker-manipulated data to be inserted into system commands.
More precisely, if a hacker sends an enable API command to the /access endpoint, the system will bypass crucial verification steps regarding the API’s enabled status. The data is read directly from the Authorization header, allowing the attacker to manipulate the ‘username’ value. The injected string is placed into the REMOTE_USER environment variable and then passed into a system() call, running commands in the bash shell. Remarkably, the susceptibility remains active even if the API is turned off, providing a disturbingly wide range of possible exploitation opportunities.
While examining this vulnerability, it was noted that the LoadMaster consists of two API functions. The latest v2 API handles JSON data requests using the /accessv2 endpoint. Nonetheless, there is a clear distinction. Simultaneously, the password variable can be altered. Before being passed to the vulnerable command execution path, the input is encoded in base64, preventing exploitation through this method.
Moreover, a fix has been applied to address the security vulnerabilities by shortening input strings that include apostrophes. This indicates that any possibly harmful quotation marks are removed before the system processes the command, preventing injection attempts.
The Cybersecurity and Infrastructure Security Agency (CISA) recently upgraded the classification of CVE-2024-1212 to a known vulnerability that is being actively exploited, further highlighting the situation’s urgency. Since the vulnerability was found, hackers have started to exploit it in actual situations, highlighting the importance of organizations utilizing Progress Kemp LoadMaster to install the provided updates. Progress Software fixed this vulnerability in February 2024, though the risk of it being exploited is still significant.
CISA has suggested that Federal Civilian Executive Branch agencies address this vulnerability by December 9, 2024, highlighting the severity of the problem. The agency cautioned that if successfully exploited, attackers could gain unrestricted access to the LoadMaster interface, enabling them to manipulate network behaviors.
Furthermore, these advancements align with warnings about more weaknesses, such as ones discovered in the VMware vCenter Server (CVE-2024-38812 and CVE-2024-38813). These actively exploited vulnerabilities highlight organizations’ need to strengthen their cybersecurity defenses. Using reliable tools like Tenable VM, Tenable SC, and Tenable Nessus, users can safeguard their systems by promptly installing patches and conducting vulnerability testing.
Image credit: Furkan Demirkaya/Flux AI
