Progress Software has released security updates for a maximum-severity flaw in LoadMaster and Multi-Tenant (MT) hypervisor that could result in the execution of arbitrary operating system commands.
Tracked as CVE-2024-7591 (CVSS score: 10.0), the vulnerability has been described as an improper input validation bug that results in OS command injection.
“It is possible for unauthenticated, remote attackers who have access to the management interface of LoadMaster to issue a carefully crafted http request that will allow arbitrary system commands to be executed,” the company said in an advisory last week.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
“This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands execution.”
The flaw affects the following versions –
- LoadMaster (7.2.60.0 and all prior versions)
- Multi-Tenant Hypervisor (7.1.35.11 and all prior versions)
Security researcher Florian Grunow has been credited with discovering and reporting the flaw. Progress said it has found no evidence of the vulnerability being exploited in the wild.
That said, it’s recommended that users apply the latest fixes as soon as possible by downloading an add-on package. The update can be installed by navigating to System Configuration > System Administration > Update Software.
“We are encouraging all customers to upgrade their LoadMaster implementations as soon as possible to harden their environment,” the company said. “We also strongly recommend that customers follow our security hardening guidelines.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com