Pierluigi Paganini September 09, 2024
Progress Software released an emergency fix for a critical vulnerability, tracked as CVE-2024-7591, that affects its LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products.
The vulnerability is an improper input validation issue, that could allow an unauthenticated, remote attacker to access LoadMaster’s management interface using a specially crafted HTTP request.
“It is possible for unauthenticated, remote attackers who have access to the management interface of LoadMaster to issue a carefully crafted http request that will allow arbitrary system commands to be executed.” reads the advisory. “This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands execution.”
Progress LoadMaster is a high-performance application delivery controller (ADC) and load balancer. It is designed to enhance the availability, scalability, performance, and security of business-critical applications and websites.
The vulnerability could enable an attacker to execute arbitrary commands on affected systems.
Below is the list of affected product versions:
Product | Affected Versions | Patched Versions | Release Date |
LoadMaster | 7.2.60.0 and all prior versions | Add-on Package XML validation file | Sep 03 2024 |
Multi-Tenant Hypervisor | 7.1.35.11 and all prior versions | Add-on Package XML validation file | Sep 03 2024 |
Multi-Tenant LoadMaster (LoadMaster MT) is affected in case the following condition is met:
As reported by a user in the advisory comments, the addon package released by Progress doesn’t allow installation on the free version.
The good news is that Progress is not aware of attacks in the wild exploiting this vulnerability.
“We have not received any reports that this vulnerability has been exploited and we are not aware of any direct impact to customers” states the advisory. “Nevertheless, we are encouraging all customers to upgrade their LoadMaster implementations as soon as possible to harden their environment. “
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Progress Software)