Governance & Risk Management , Network Performance Monitoring & Diagnostics , Patch Management
Progress Software Fixes Critical LoadMaster Vulnerability
Urgent Fix Addresses Critical Flaw That Allows Remote Code ExecutionProgress Software released an urgent patch Thursday to fix a critical vulnerability that hackers could exploit to launch remote attacks.
See Also: Cosmos Full Show
The security update addresses CVE-2024-7591, which affects all versions of LoadMaster and LoadMaster Multi-Tenant Hypervisor.
LoadMaster is an application delivery controller that enhances app performance, scalability and security through load balancing, SSL offloading and WAF. LoadMaster Multi-Tenant Hypervisor is a version designed for multi-tenant environments that provides high throughput, network port density, and secure, isolated environments for multiple clients.
The critical vulnerability is classified as a remote code execution flaw and has a maximum-severity score of 10.0 on the CVSS scale. It could allow unauthenticated remote attackers to execute arbitrary system commands by sending specially crafted HTTP requests.
Progress Software was at the center of a Memorial Day 2023 mass hacking incident that started when the cybercriminal group exploited a zero-day vulnerability in the Massachusetts' company MOVEit file transfer software. The surprise cyberattack by last count affected 2,773 organizations. The attack formed part of a cascade of incidents involving edge devices such as those made by Progress (see: Surge in Attacks Against Edge and Infrastructure Devices).
While there have been no reports of active exploitation of this newest Progress flaw, the company said it strongly encourages all LoadMaster customers to install the patch immediately.
The vulnerability arises from improper input validation. A crafted HTTP request to the LoadMaster management interface could result in unauthorized access, complete system compromise, data theft, service disruption or use of the compromised system as a launch pad for further attacks within the network.
The vulnerability affects LoadMaster virtual network functions and the MT hypervisor manager node. The patch sanitizes user input in HTTP requests to prevent arbitrary command execution.
Customers can download and install the add-on patch from Progress Software's support portal, even if the product's support has expired.