Progress has disclosed multiple critical security vulnerabilities affecting its LoadMaster product line, including the Multi-Tenant (MT) hypervisor.
These vulnerabilities, identified as CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, CVE-2024-56134, and CVE-2024-56135, allow attackers to execute arbitrary system commands or access sensitive files.
While no exploitation reports have surfaced, customers are strongly urged to update their systems immediately to mitigate potential risks.
LoadMaster Security Vulnerabilities
CVE-2024-56131 / CVE-2024-56132 / CVE-2024-56133 / CVE-2024-56135
These vulnerabilities stem from improper input validation in the LoadMaster management interface.
Authenticated attackers can exploit these flaws by sending specially crafted HTTP requests to execute arbitrary operating system (OS) commands.
The root cause lies in insufficient sanitization of user input, which Progress has addressed in the latest firmware updates by implementing stricter input validation mechanisms.
CVE-2024-56134
This vulnerability allows authenticated attackers to download the contents of any file on the system by issuing a crafted HTTP request.
Like the other vulnerabilities, this issue was mitigated through enhanced input sanitization.
The vulnerabilities are classified as high-severity due to their potential for OS command injection and unauthorized file access by authenticated users with management interface access.
While no active exploitation has been reported, delaying updates could leave systems vulnerable to attacks.
Affected Versions and Fixes
The vulnerabilities impact all current LoadMaster releases and specific versions of the Multi-Tenant LoadMaster (MT) hypervisor. Below is a summary of affected and patched versions:
For Multi-Tenant LoadMaster users, both the instantiated Virtual Network Functions (VNFs) and the MT hypervisor/Manager node must be updated to secure versions.
Recommendation
To address these vulnerabilities:
Download and install the patched firmware versions from the Progress Knowledge Base or official support portal.
- For LoadMaster: Upgrade to version 7.2.61.0 (GA) or 7.2.54.13 (LTSF).
- For Multi-Tenant LoadMaster: Upgrade to version 7.1.35.13 (GA).
Progress has taken swift action by releasing updates that resolve these critical security flaws through enhanced input sanitization techniques.
Customers are advised to prioritize system upgrades immediately and adhere to best practices for securing their environments against potential threats.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar