[German]Quick note for administrators who use the load balancer LoadMaster from Progress Kemp. The provider has provided various firmware updates for its LoadMaster as of February 7, 2024. These should be installed immediately. Addendum: Information about CVE-2024-1212 in Progress Kemp LoadMaster added.
Advertising
Progress Kemp offers the LoadMaster load balancer, which is designed to provide load balancing. In its simplest form, a load balancer offers the option of forwarding application users to the most powerful and accessible server.
Here is the link for the LoadMaster firmware release 7.2.54.8 LTSF. Due to the updates – only accessible to customers – the product should have the following patch versions:
- 7.2.59.2 (GA)
- 7.2.54.8 (LTSF)
- 7.2.48.10 (LTS)
- 7.2.59.6+ (NG Hardware)
I cannot disclose the details at the moment, as they are still confidential until February 21, 2024.
CVE-2024-1212 in Progress Kemp LoadMaster
Addendum: Progress Kemp was probably informed about a critical vulnerability CVE-2024-1212 for LoadMaster v7.2.48.1 and newer at the beginning of February 2024 and was able to confirm this. A list of vulnerabilities in LoadMaster with revision status February 21, 2024 can be found here.
According to the information I have received, unauthenticated, remote attackers who have access to LoadMaster's management interface have the ability to issue a carefully crafted API command that allows arbitrary system commands to be executed without authentication.
Advertising
While it has always been LoadMaster's best practice to use a dedicated network interface as the management interface (hosting the UI and API) and restrict access to this interface to trusted personnel only, this may not be the case in all customer configurations.
To benefit from the latest security enhancements, customers must install the security patch for one of the Progress Kemp LoadMaster versions listed above.
Advertising
