[German]A short note for administrators who use the load balancer LoadMaster from Progress Kemp. On February 5, 2025, a whole series of vulnerabilities affecting older versions of the software became public. The provider has released patches for these, some of which are rated "high" in terms of CVSS rating.
Advertising
What is Progress Kemp?
Progress Kemp offers a load balancer LoadMaster, which is designed to provide load balancing in networks. In its simplest form, a load balancer offers the option of forwarding application users to the most powerful and accessible server.
Vulnerabilities in LoadMaster
I came across the now published CVEs overnight via a series of tweets. Kemp Progress disclosed the vulnerabilities as of February 5, 2025 in the community post LoadMaster Security Vulnerability CVE-2024-56131 / CVE-2024-56132 / CVE-2024-56133 / CVE-2024-56134 / CVE-2024-56135 offen gelegt.
The vulnerabilities CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, CVE-2024-56134, CVE-2024-56135 affect all current LoadMaster releases as well as the LoadMaster Multi-Tenant (MT) Hypervisor.
- CVE-2024-56131 / CVE-2024-56132 / CVE-2024-56133 / CVE-2024-56135: Remote malicious actors who gain access to the LoadMaster management interface and successfully authenticate could make a crafted HTTP request that allows the execution of arbitrary system commands. This vulnerability has been closed by sanitizing user input from requests to prevent the execution of arbitrary system commands.
- CVE-2024-56134: Remote malicious actors who gain access to the LoadMaster management interface and successfully authenticate could make a specially crafted HTTP request that would allow the download of the contents of an arbitrary file on the system. This vulnerability has been closed by sanitizing the user input of the request to prevent the execution of arbitrary system commands.
There are no known reports to date that these vulnerabilities have been or are being exploited. Progress Kemp recommends that all customers update their LoadMaster implementations as soon as possible to protect their environment. The community post lists the affected Progress Kemp software versions and also provides links to the security updates.
Advertising
Advertising