Skip to content

Progress Software issues fix for severe LoadMaster RCE flaw

  • by
  • 2 min read

An emergency fix was released for a maximum severity vulnerability, tracked as CVE-2024-7591, affecting Progress Software’s LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products. The flaw enables threat actors to execute commands on devices remotely.

CVE-2024-7591 has been categorised as an improper input validation issue that could allow unauthenticated, remote attackers to gain access to LoadMaster’s management interface through a specially crafted HTTP request.

LoadMaster is a application delivery controller and load balancer used by large organisations to enhance availability, scalability, performance and security of business-related applications and websites. Organisations use it to improve app performance, manage network traffic and secure high service availability. The MT Hypervisor version was developed for multi-tenant environments to allow multiple virtual network functions to operate on the same hardware.

The maximum severity flaw, with a CVSS score of 10, was discovered to affect 7.2.60.0 and prior releases of LoadMaster and 7.1.35.11 of MT Hypervisor, along with previous versions. Long-term support and Long-Term Support with Feature branches were also affected.

Due to the absence of user input sanitisation, adversaries could execute arbitrary commands on vulnerable endpoints of affected systems. Progress Software’s security bulletin stated that they did not receive any information on the flaw being actively exploited as of the bulletin’s publication. Additionally, they have not received information on any customers being directly impacted by the problem.

The company issued an add-on package that can be installed on versions affected by the vulnerability, including older versions. Progress Software said, “This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system command execution.”

The add-on patch replaces the need to upgrade to a target version to address the risk from the remote code execution flaw. The upgrade is not available for the free version of LoadMaster and continues to be at risk from CVE-2024-7591.

The company further said, “Nevertheless, we are encouraging all customers to upgrade their LoadMaster implementations as soon as possible to harden their environment.” Following downloading the add-on, it can be installed via controls on System Configuration > System Administration > Update Software UI page.

In the News: Malware targets crypto wallets in South Korea and UK via OCR

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: arunmaity23@proton.me

>