Fix for CVE-2024-3544

Unauthenticated attackers can perform actions, using SSH private keys, by knowing the IP address and having access to the same network of one of the machines in the High Availability (HA) or Cluster group. This vulnerability has been closed by enhancing LoadMaster partner communications to require a shared secret that must be exchanged between the partners before communication can proceed. The new Partner Communications shared secret parameter is located on the Certificates & Security > Remote Access page of the User Interface (UI).

Fix for CVE-2024-3543

Use of a reversible password encryption algorithm allows attackers to decrypt passwords obtained with the attack described above in CVE-2024-3544. Sensitive information can be easily unencrypted by the attacker which could be used for arbitrary system command execution. This vulnerability has been closed by closing the CVE-2024-3544 vulnerability.