Progress Kemp LoadMaster Unauthenticated Command Injection Vulnerability

Overview

The SonicWall Capture Labs threat research team became aware of a noteworthy vulnerability — an Unauthenticated Command Injection — in Progress Kemp Loadmaster, assessed its impact and developed mitigation measures for it. Kemp Technologies’ LoadMaster, an application delivery controller and load balancer, published an advisory on this vulnerability affecting all LoadMaster releases after 7.2.48.1 and the LoadMaster Multi-Tenant (MT) VFNs. LoadMaster can be deployed on various platforms such as hardware, cloud and virtual machines. This vulnerability is identified as CVE-2024-1212 and was assigned a critical CVSS score of 9.8.  Considering the sizeable user base, low attack complexity and publicly available exploit code including a Metasploit module, LoadMaster users are strongly encouraged to upgrade their instances to the latest versions with utmost priority.

Technical Overview

This vulnerability allows threat actors to circumvent the authentication mechanism by sending a crafted request to the web server.

The conditions that led to the exploitation of the vulnerability in the Progress Kemp LoadMaster load balancer were:

• Bypassing Disabled API Restrictions: It was possible to access the REST API, even when disabled, by crafting a specific request path and parameters. This bypass allowed researchers to reach critical functions that were supposed to be inaccessible with the API disabled.
• Unauthenticated User Input Handling: The system did not properly validate or sanitize the “REMOTE_USER” and “REMOTE_PASS” environment variables, which were set based on user-provided basic authentication headers. This flaw allowed for the injection of arbitrary commands.
• Command Injection via System Call: The lack of validation and sanitization led to constructing a command with user-controllable input that was then passed to a system() call. This behavior facilitated the execution of arbitrary commands on the system.
• Exploiting Basic Authentication for Command Execution: By manipulating the base64-encoded authorization string sent in the HTTP headers, attackers could inject commands that the server would execute, enabling a direct path to command injection and system compromise.

Triggering the Vulnerability

The flaw is in the processing of the “/access/” RESTful API Interface to the LoadMaster.

Figure 1: LoadMaster CGI Bash Script

As seen in the code shared by RhinoSecurity Labs in Figure 1,  user input to the “/access/” API is directly put into a bash script leading to a critical vulnerability tracked as CVE-2024-1212. Before being passed to any function(s), the user input should be mandatorily parameterized and sanitized.

Leveraging this unauthenticated command injection vulnerability requires access to the vulnerable LoadMaster administrator web user interface. The publicly available also shows the possibility of privilege escalation once the shell is obtained.

An example request to trigger the vulnerability would look like this http[:]//target-ip:port/access/set?param=enableapi&value=1 with the Authorization parameter containing the command injection, as shown in Figure 2.

Figure 2: Triggering CVE-2024-1212 PoC packet capture

Notice the command injection is base64 encoded. When decoded, the attacker is sending the ‘;echo ‘[S]’hostname;echo’[E]’;’:anything as shown in Figure 3.

Figure 3: Decoded-authorization-header

The default admin configuration of a LoadMaster instance is a user named “bal”, as shown in Figure 4. One can fully control the system by manipulating sudo user entries via the management interface.

Figure 4: Default LoadMaster interface

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

• IPS 4362 – Progress Kemp LoadMaster Command Injection

Threat Graphs

SonicWall sensors have confirmed exploitation attempts of this vulnerability. The graph below indicates increased exploitation attempts over the last 6 days.

Figure 5: Threat graph

Remediation Recommendations

Considering the severe consequences of this vulnerability and the trending of unauthenticated nefarious activists trying to get Loadmaster management interface access using the exploit in the wild, users are strongly encouraged to upgrade their instances as published in the vendor advisory.

Relevant Links

• NVD
• GitHub PoC
• Latest LoadMaster-Firmware
• GitHub Advisory Database
• RhinoSecurity Labs blog
• LoadMaster Advisory
• LoadMaster Release Notice
• LoadMaster ECS Connection Manager Advisory

*Originally this article claimed we had confirmed active exploitation of this vulnerability. This was a mistake. We have confirmed exploitation attempts, and the article now reflects that.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.