Progress Kemp LoadMaster Unauthenticated Command Injection Vulnerability

Overview

The SonicWall Capture Labs threat research team became aware of a noteworthy vulnerability - an Unauthenticated Command Injection - in Progress Kemp Loadmaster, assessed its impact and developed mitigation measures for it. Kemp Technologies' LoadMaster, an application delivery controller and load balancer, published an advisory on this vulnerability affecting all LoadMaster releases after 7.2.48.1 and the LoadMaster Multi-Tenant (MT) VFNs. LoadMaster can deploy on a vast array of platforms such as hardware, cloud and virtual machines. Considering the sizeable user base and low attack complexity, LoadMaster users are strongly encouraged to upgrade their instances to the latest versions with utmost priority.

CVE Details

The Unauthenticated Command Injection vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2024-1212. The CVSS score is 9.8 based on the metrics (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Technical Overview

This vulnerability allows threat actors to circumvent the authentication mechanism by sending a crafted request to the web server. The flaw is in the functionality of the path "/access/set?param=enableapi&value=1" along with the "verify_perms()" function that checks the RESTful API interface to the LoadMaster.

[Link]

Figure 1: LoadMaster CGI Bash Script

As seen in the code shared by RhinoSecurity Labs in Figure 1, passing user input to system functions directly leaves the web interface to security risks, leading to the critical vulnerability tracked as CVE-2024-1212. Before being passed to any function(s), the user input should be mandatorily parameterized and sanitized, minimizing the probability of such loopholes. It is vitally important to take care of the code review process with due diligence before its public release.

Triggering the Vulnerability

As seen in the code shared by RhinoSecurity Labsin Figure 1, user input to the "/access/ API is directly put into a bash script leading to a critical vulnerability like CVE-2024-1212. Before being passed to any function(s), the user input should be mandatorily parameterized and sanitized.

Leveraging this unauthenticated command injection vulnerability requires access to a vulnerable LoadMaster administrator web user interface. The PoC also shows the possibility of privilege escalation once the shell is obtained.

The example request would look like, http[:]//target-ip:port/access/set?param=enableapi&value=1. Accessing the unauthenticated endpoint is done with the Basic Authorization HTTP header as shown in Figure 2.

[Link]

Figure 2: Triggering CVE-2024-1212 PoC packet capture

The default admin configuration of a LoadMaster instance is a user named "bal", as shown in Figure 3. One can fully control the system by manipulating sudo user entries via the management interface.

[Link]

Figure 3: Default LoadMaster interface

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

• IPS: 4362

Threat Graphs

SonicWall sensors have confirmed active exploitation of these vulnerabilities. The graphs below indicate an increasing number of exploitation attempts over the last 40 days.

Sid: 4362

[Link]

Figure 4: Threat graph

Remediation Recommendations

Considering the severe consequences of this vulnerability and the trending of unauthenticated nefarious activists trying to get LoadMaster management interface access using the exploit in the wild, users are strongly encouraged to upgrade their instances as published in the vendor advisory.

Relevant Links

• NVD
• GitHub PoC
• Latest LoadMaster-Firmware
• GitHub Advisory Database
• Rhinosecuritylabs blog
• LoadMaster Advisory
• LoadMaster Release Notice
• LoadMaster ECS Connection Manager Advisory