Full Report
Now-patched security flaws impacting Progress Kemp LoadMaster and VMware vCenter Server have come under active exploitation in the wild, it has emerged. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added CVE-2024-1212 (CVSS score: 10.0), a maximum-severity security vulnerability in Progress Kemp LoadMaster to its Known Exploited Vulnerabilities (KEV) catalog. It was
Analysis Summary
# Vulnerability: Kemp LoadMaster OS Command Injection and VMware vCenter Server Flaws Under Active Exploitation
## CVE Details
- CVE ID: CVE-2024-1212
- CVSS Score: 10.0 (Critical)
- CWE: OS Command Injection
- CVE ID: CVE-2024-38812
- CVSS Score: 9.8 (Critical)
- CWE: Not specified (Likely related to authentication bypass/privilege escalation based on context)
- CVE ID: CVE-2024-38813
- CVSS Score: 7.5 (High)
- CWE: Not specified
## Affected Systems
- **Products:** Progress Kemp LoadMaster, VMware vCenter Server
- **Versions:**
- Kemp LoadMaster: Specific vulnerable versions addressed in LMOS 7.2.59.2, 7.2.54.8, and 7.2.48.10 releases.
- VMware vCenter Server: Specific versions for CVE-2024-38812 and CVE-2024-38813 disclosed in September/October 2024 advisories.
- **Configurations:**
- CVE-2024-1212: Requires attacker access to the administrator web user interface (web UI).
## Vulnerability Description
**CVE-2024-1212 (Kemp LoadMaster):** This is an OS command injection vulnerability within the LoadMaster management interface. A remote, unauthenticated attacker who can access the administrator web UI can execute arbitrary system commands on the underlying operating system, leading to full system access.
**CVE-2024-38812 & CVE-2024-38813 (VMware vCenter Server):** These are two distinct flaws that CISA warns are under active exploitation. CVE-2024-38812, in particular, received subsequent patching, indicating the initial fix might have been incomplete.
## Exploitation
- **Status:** Active exploitation **in the wild** for all three listed CVEs (as per CISA KEV catalog addition and Broadcom warning).
- **Complexity:**
- CVE-2024-1212: Complexity is likely Low, as it requires access to the administrator web UI but allows for unauthenticated command execution once that access point is reached.
- CVE-2024-38812/38813: Not explicitly detailed, but active exploitation suggests exploitation is feasible if prerequisites are met.
- **Attack Vector:**
- CVE-2024-1212: Remote (via the management interface).
- CVE-2024-38812/38813: Not specified, but vCenter vulnerabilities often involve network-accessible vectors.
## Impact
- **Confidentiality:** High potential impact due to arbitrary command execution (CVE-2024-1212 grants full access).
- **Integrity:** High potential impact due to arbitrary command execution.
- **Availability:** Significant impact, as system compromise can lead to service disruption or resource manipulation.
## Remediation
### Patches
Organizations must apply the respective vendor patches corresponding to the timelines mentioned below:
- **Kemp LoadMaster (for CVE-2024-1212):** Patches were released by Progress Software back in **February 2024** in versions including LMOS 7.2.59.2, 7.2.54.8, and 7.2.48.10.
- **VMware vCenter Server (for CVE-2024-38812 & CVE-2024-38813):** The original fixes were rolled out in **September 2024**, with a subsequent patch for CVE-2024-38812 released in **October 2024**.
### Workarounds
No specific workarounds were detailed in the provided text, but administrators should immediately restrict network access to management interfaces if patching cannot be immediately applied.
## Detection
- **Indicators of Compromise:** Not explicitly listed, but signs of unusual process execution or configuration changes on the affected physical/virtual appliances are key.
- **Detection methods and tools:** Review network traffic to and from the Kemp LoadMaster management interface for suspicious command injection payloads. Monitor vCenter Server logs for activity related to the vulnerabilities reported in September/October 2024 disclosures.
## References
- CISA KEV Update Link: hXXps://cisa.gov/news-events/alerts/2024/11/18/cisa-adds-three-known-exploited-vulnerabilities-catalog
- Progress Kemp LoadMaster Advisory Link: hXXps://community.progress.com/s/article/Release-Notice-LMOS-7-2-59-2-7-2-54-8-7-2-48-10-CVE-2024-1212
- Broadcom Security Advisory (VMware): hXXps://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968
- Rhino Security Blog (CVE-2024-1212): hXXps://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/