LoadMaster SSH Private Key Escalation via Network Proximity
CVE-2024-3544 Published on May 2, 2024
LoadMaster Hardcoded SSH Key
Unauthenticated attackers can perform actions, using SSH private keys, by knowing the IP address and having access to the same network of one of the machines in the HA or Cluster group. This vulnerability has been closed by enhancing LoadMaster partner communications to require a shared secret that must be exchanged between the partners before communication can proceed.
Vulnerability Analysis
Weakness Type
Use of Hard-coded Credentials
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Products Associated with CVE-2024-3544
Want to know whenever a new CVE is published for Progress Loadmaster? stack.watch will email you.
Affected Versions
Progress Software Corporation LoadMaster:- Version LoadMaster 7.2.55.0 (GA) and below 7.2.59.4 is affected.
- Version LoadMaster 7.2.49.0 (LTSF) and below 7.2.54.10 is affected.
- Version LoadMaster 7.2.48.11 (LTS) and below 7.2.48.12 is affected.
- Version 7.2.55.0\(ga\) and below 7.2.59.4 is affected.
- Version 7.2.49.0\(ltsf\) and below 7.2.54.10 is affected.
- Version 7.2.48.11\(lts\) and below 7.2.48.12 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.