Kemp Load Balancer Command Injection Vulnerability Allow Full Compromise


A critical vulnerability has been discovered in Kemp’s LoadMaster Load Balancer, allowing for full system compromise through a command injection attack.

This security flaw, identified as CVE-2024-7591, affects all LoadMaster versions up to and including 7.2.60.0, as well as multi-tenant hypervisors up to version 7.1.35.11.

The vulnerability exists in the Web User Interface (WUI) of the Kemp LoadMaster, specifically in the login process.

It requires no authentication and can be exploited remotely by anyone with access to the WUI.

Security researchers at Insinuator identified that the flaw stems from inadequate input sanitization in the login functionality, allowing attackers to inject and execute arbitrary commands on the system.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Technical Analysis

The vulnerability was uncovered during a security research project focused on the Kemp LoadMaster, a widely used load balancing application.

The researcher identified the issue by examining the software’s file system and analyzing the scripts powering the WUI.

While the WUI scripts are written in BASH and located in the /usr/wui/progs directory, and the login process involves a POST request to /progs/status/login. Besides this, the vulnerable code is in the read_pass function make use of an eval statement without proper input sanitization.

The exploitation process involves crafting a specially formatted payload that bypasses the system’s input processing mechanisms. By manipulating the input to the pass_read function and leveraging a loophole in the base64_encode function, an attacker can execute arbitrary commands on the target system.

This vulnerability poses a significant risk to organizations using affected versions of Kemp LoadMaster, as it allows attackers to gain full control over the load balancer.

This could potentially lead to:-

Here below we have mentioned the complete disclosure timeline:-

  • July 29, 2024: Vulnerability reported to Kemp
  • July 30, 2024: Kemp acknowledges receipt and forwards to the responsible team
  • September 6, 2024: Kemp releases fixed versions and publishes CVE-2024-75911
  • November 27, 2024: Public disclosure of the vulnerability

Organizations using Kemp LoadMaster are urged to assess their systems and apply the necessary updates to protect against potential exploitation of this critical vulnerability.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar



Source link