Progress Software has released security updates for a maximum-severity flaw in LoadMaster and Multi-Tenant (MT) hypervisor that could result in the execution of arbitrary operating system commands.
Tracked as CVE-2024-7591 (CVSS score: 10.0), the vulnerability has been described as an improper input validation bug that results in OS command injection.
“It is possible for unauthenticated, remote attackers who have access to the management interface of LoadMaster to issue a carefully crafted http request that will allow arbitrary system commands to be executed,” the company said in an advisory last week.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands execution.”
The flaw affects the following versions –
- LoadMaster (7.2.60.0 and all prior versions)
- Multi-Tenant Hypervisor (7.1.35.11 and all prior versions)
Security researcher Florian Grunow has been credited with discovering and reporting the flaw. Progress said it has found no evidence of the vulnerability being exploited in the wild.
That said, it’s recommended that users apply the latest fixes as soon as possible by downloading an add-on package. The update can be installed by navigating to System Configuration > System Administration > Update Software.
“We are encouraging all customers to upgrade their LoadMaster implementations as soon as possible to harden their environment,” the company said. “We also strongly recommend that customers follow our security hardening guidelines.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com