Share this article on:
A newly disclosed bug in Progress Kemp’s application delivery platform could allow the execution of unauthenticated commands.
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has released a critical alert concerning a recently disclosed vulnerability in Progress Kemp’s LoadMaster, a cloud-based application delivery platform.
The flaw – officially CVE-2024-1212 – could allow a threat actor with access to LoadMaster’s management interface to issue a “carefully crafted API command”, in the words of Progress Kemp, that will allow the attacker to execute arbitrary system commands.
The vulnerability affects all releases of the LoadMaster platform after version 7.2.48.1, and Progress Kemp rates the bug as critical, with a CVSS score of 10.
The same flaw is present in Progress Kemp’s ECS Connection Manager Product as well.
Progress Kemp does have a number of patches for different versions of LoadMaster, however, as well as a guide to how to apply them. Users of the free version will, however, need to back up their configuration and deploy a new version of the platform, one without the vulnerability, and then apply the backed-up configuration.
The ACSC is recommending users of the platform follow Progress Kemp’s mitigation advice.
Progress Kemp has also changed its password policy.
“In line with this announcement, we have updated our password policy,” Progress Kemp said in its advisory. “Please read the guidelines and reset your password. We are also strongly recommending that customers follow our security hardening guidelines.”
Thankfully, the ACSC has not had any reports of the vulnerability being exploited in the wild.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.