1. LoadMaster [1]

- Progress Software社에서 개발한 SW
- 대규모 조직에서 앱 성능 최적화, 네트워크 트래픽 관리, 높은 서비스 가용성 보장을 위해 사용하는 ADC 및 부하 분산 솔루션
- Multi-Tenant Hypervisor 버전은 멀티 테넌트 환경을 위해 설계된 LoadMaster 버전으로, 동일한 하드웨어에서 여러 가상 네트워크 기능을 실행할 수 있음

2. CVE-2024-7591

[사진 1] CVE-2024-7591 [2]

- Progress LoadMaster의 부적절한 입력 검증 취약점으로 인한 OS 명령 삽입 취약점 (CVSS: 10.0)
> 조작된 HTTP 요청을 보냄으로써 익스플로잇 해 관리자 인터페이스에 접근할 수 있게 되며, 이후 임의 OS 명령을 실행시킬 수 있음
> PoC 및 악용 시도는 확인되지 않음

영향받는 버전
- LoadMaster <= 7.2.60.0
- Multi-Tenant Hypervisor <= 7.1.35.11

 

- 벤더사는 애드온 패키지를 통해 패치 제공 [3]

> 사용자 입렵 겁증을 추가하여 완화한 것으로 보임
해당 패치는 무료 버전에는 적용되지 않으므로, 무료 버전은 여전히 취약한 상태로 남아있게됨

3. 참고

[1] https://kemptechnologies.com/
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-7591
[3] https://support.kemptechnologies.com/hc/en-us/articles/29196371689613-LoadMaster-Security-Vulnerability-CVE-2024-7591
[4] https://www.bleepingcomputer.com/news/security/progress-loadmaster-vulnerable-to-10-10-severity-rce-flaw/
[5] https://www.boannews.com/media/view.asp?idx=132693&page=3&kind=1

+ Recent posts