Keypoints
- The issue is an unauthenticated command injection (CVE-2024-1212) affecting LoadMaster releases after 7.2.48.1 and LoadMaster Multi‑Tenant VFNs.
- Attackers can reach the REST API even when it is disabled by crafting specific request paths and parameters.
- Unsanitized handling of REMOTE_USER and REMOTE_PASS (derived from Basic Auth) allows injection of arbitrary input into a bash script that is later passed to a system() call.
- The vulnerable endpoint is the /access/ RESTful API (example trigger: /access/set?param=enableapi&value=1 with malicious Authorization header).
- Public exploit code (including a Metasploit module) exists and SonicWall sensors have observed active exploitation attempts.
- SonicWall released IPS signature 4362 and vendors advise immediate upgrades per the vendor advisory to mitigate risk.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Crafted requests to the /access/ REST API allowed access and execution despite API being disabled (‘it was possible to access the REST API, even when disabled, by crafting a specific request path and parameters.’)
- [T1059.004] Command and Scripting Interpreter: Unix Shell – User-supplied values were inserted into a bash script and passed to system(), permitting arbitrary command execution (‘user input to the “/access/” API is directly put into a bash script leading to a critical vulnerability’).
- [T1195] Exploit Vulnerability – Manipulation of the Base64-encoded Authorization header enabled injection of commands that the server executed (‘By manipulating the base64-encoded authorization string sent in the HTTP headers, attackers could inject commands that the server would execute’).
- [T1068] Exploitation for Privilege Escalation – Public PoC indicates the obtained shell can be leveraged for privilege escalation on the LoadMaster instance (‘the publicly available also shows the possibility of privilege escalation once the shell is obtained.’)
Indicators of Compromise
- [CVE] vulnerability identifier – CVE-2024-1212
- [Endpoint] vulnerable REST API paths – /access/ , /access/set?param=enableapi&value=1
- [Authorization Pattern] injected Authorization header (base64) – decoded example: ‘;echo ‘[S]’hostname;echo'[E]’;’:anything
- [Default Account] administrative username observed – bal
- [Signature ID] network detection signature – IPS 4362 (Progress Kemp LoadMaster Command Injection)
Progress Kemp LoadMaster contains an unauthenticated command injection in its /access/ REST API that affects releases after 7.2.48.1 and LoadMaster MT VFNs. The flaw arises because crafted request paths can reach the REST API even when it is supposed to be disabled, and the service places Basic Authentication-derived values (REMOTE_USER and REMOTE_PASS) directly into a bash script without proper parameterization or sanitization. Those user-controlled values are concatenated into a command that is executed via a system() call, allowing arbitrary command execution. A typical trigger is an HTTP request to /access/set?param=enableapi&value=1 with a specially crafted, base64-encoded Authorization header; decoded payloads in public PoCs show injected sequences like ‘;echo ‘[S]’hostname;echo'[E]’;’.
Exploitation requires access to the administrative web interface, after which attackers can gain a shell and potentially escalate privileges by modifying sudo entries via the management interface (default admin user: bal). Defenders should block and detect attempts with the provided IPS signature (4362), monitor for suspicious requests to /access/, and apply the vendor-supplied updates immediately. Given public exploit code and observed active exploitation, rapid patching and network-based detection are critical to prevent compromise.