Network Performance Monitoring & Diagnostics , Patch Management , Security Operations

Progress Software Fixes Critical LoadMaster Vulnerability

Urgent Fix Addresses Critical Flaw That Allows Remote Code Execution
Progress Software Fixes Critical LoadMaster Vulnerability
Progress Software released an urgent patch for a remote code execution flaw. (Image: Progress Software)

Progress Software released an urgent patch Thursday to fix a critical vulnerability that hackers could exploit to launch remote attacks.

The security update addresses CVE-2024-7591, which affects all versions of LoadMaster and LoadMaster Multi-Tenant Hypervisor.

LoadMaster is an application delivery controller that enhances app performance, scalability and security through load balancing, SSL offloading and WAF. LoadMaster Multi-Tenant Hypervisor is a version designed for multi-tenant environments that provides high throughput, network port density, and secure, isolated environments for multiple clients.

The critical vulnerability is classified as a remote code execution flaw and has a maximum-severity score of 10.0 on the CVSS scale. It could allow unauthenticated remote attackers to execute arbitrary system commands by sending specially crafted HTTP requests.

Progress Software was at the center of a Memorial Day 2023 mass hacking incident that started when the cybercriminal group exploited a zero-day vulnerability in the Massachusetts' company MOVEit file transfer software. The surprise cyberattack by last count affected 2,773 organizations. The attack formed part of a cascade of incidents involving edge devices such as those made by Progress (see: Surge in Attacks Against Edge and Infrastructure Devices).

While there have been no reports of active exploitation of this newest Progress flaw, the company said it strongly encourages all LoadMaster customers to install the patch immediately.

The vulnerability arises from improper input validation. A crafted HTTP request to the LoadMaster management interface could result in unauthorized access, complete system compromise, data theft, service disruption or use of the compromised system as a launch pad for further attacks within the network.

The vulnerability affects LoadMaster virtual network functions and the MT hypervisor manager node. The patch sanitizes user input in HTTP requests to prevent arbitrary command execution.

Customers can download and install the add-on patch from Progress Software's support portal, even if the product's support has expired.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ransomware.databreachtoday.com, you agree to our use of cookies.