____________________
Summary: The SonicWall Capture Labs threat research team has discovered an Unauthenticated Command Injection vulnerability in Progress Kemp LoadMaster. This vulnerability allows attackers to bypass authentication and execute arbitrary commands on the system. LoadMaster users are advised to upgrade their instances immediately.
____________________
Key Point:
* The vulnerability affects Progress Kemp LoadMaster releases after 7.2.48.1 and LoadMaster Multi-Tenant (MT) VFNs.
* Attackers can bypass disabled API restrictions and exploit unauthenticated user input handling to inject arbitrary commands.
* The vulnerability can be triggered through the “RESTful API” interface to the LoadMaster.
* SonicWall has released IPS signature 4362 to protect against this vulnerability.
* Active exploitation of this vulnerability has been observed.
____________________
____________________
Overview
The SonicWall Capture Labs threat research team became aware of a noteworthy vulnerability — an Unauthenticated Command Injection — in Progress Kemp Loadmaster, assessed its impact and developed mitigation measures for it. Kemp Technologies’ LoadMaster, an application delivery controller and load balancer, published an advisory on this vulnerability affecting all LoadMaster releases after 7.2.48.1 and the LoadMaster Multi-Tenant (MT) VFNs. LoadMaster can be deployed on various platforms such as hardware, cloud and virtual machines. This vulnerability is identified as CVE-2024-1212 and was assigned a critical CVSS score of 9.8. Considering the sizeable user base, low attack complexity and publicly available exploit code including a Metasploit module, LoadMaster users are strongly encouraged to upgrade their instances to the latest versions with utmost priority.
Technical Overview
This vulnerability allows threat actors to circumvent the authentication mechanism by sending a crafted request to the web server.
The conditions that led to the exploitation of the vulnerability in the Progress Kemp LoadMaster load balancer were:
- Bypassing Disabled API Restrictions: It was possible to access the REST API, even when disabled, by crafting a specific request path and parameters. This bypass allowed researchers to reach critical functions that were supposed to be inaccessible with the API disabled.
- Unauthenticated User Input Handling: The system did not properly validate or sanitize the “REMOTE_USER” and “REMOTE_PASS” environment variables, which were set based on user-provided basic authentication headers. This flaw allowed for the injection of arbitrary commands.
- Command Injection via System Call: The lack of validation and sanitization led to constructing a command with user-controllable input that was then passed to a system() call. This behavior facilitated the execution of arbitrary commands on the system.
- Exploiting Basic Authentication for Command Execution: By manipulating the base64-encoded authorization string sent in the HTTP headers, attackers could inject commands that the server would execute, enabling a direct path to command injection and system compromise.
Triggering the Vulnerability
The flaw is in the processing of the “/access/” RESTful API Interface to the LoadMaster.
Figure 1: LoadMaster CGI Bash Script
As seen in the code shared by RhinoSecurity Labs in Figure 1, user input to the “/access/” API is directly put into a bash script leading to a critical vulnerability tracked as CVE-2024-1212. Before being passed to any function(s), the user input should be mandatorily parameterized and sanitized.
Leveraging this unauthenticated command injection vulnerability requires access to the vulnerable LoadMaster administrator web user interface. The publicly available also shows the possibility of privilege escalation once the shell is obtained.
An example request to trigger the vulnerability would look like this http[:]//target-ip:port/access/set?param=enableapi&value=1 with the Authorization parameter containing the command injection, as shown in Figure 2.
Figure 2: Triggering CVE-2024-1212 PoC packet capture
Notice the command injection is base64 encoded. When decoded, the attacker is sending the ‘;echo ‘[S]’hostname;echo’[E]’;’:anything as shown in Figure 3.
Figure 3: Decoded-authorization-header
The default admin configuration of a LoadMaster instance is a user named “bal”, as shown in Figure 4. One can fully control the system by manipulating sudo user entries via the management interface.
Figure 4: Default LoadMaster interface
SonicWall Protections
To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:
- IPS 4362 – Progress Kemp LoadMaster Command Injection
Threat Graphs
SonicWall sensors have confirmed active exploitation of this vulnerability. The graph below indicates increased exploitation attempts over the last 6 days.
Figure 5: Threat graph
Remediation Recommendations
Considering the severe consequences of this vulnerability and the trending of unauthenticated nefarious activists trying to get Loadmaster management interface access using the exploit in the wild, users are strongly encouraged to upgrade their instances as published in the vendor advisory.
Relevant Links
Source: Original Post