Important RCE Flaw in GFI KerioControl Permits Distant Code Execution by way of CRLF Injection

Jan 09, 2025Ravie LakshmananVulnerability / Menace Intelligence

Menace actors try to benefit from a just lately disclosed safety flaw impacting GFI KerioControl firewalls that, if efficiently exploited, might permit malicious actors to attain distant code execution (RCE).

The vulnerability in query, CVE-2024-52875, refers to a carriage return line feed (CRLF) injection assault, paving the best way for HTTP response splitting, which might then result in a cross-site scripting (XSS) flaw.

Profitable exploitation of the 1-click RCE flaw permits an attacker to inject malicious inputs into HTTP response headers by introducing carriage return (r) and line feed (n) characters.

Cybersecurity

The flaw impacts KerioControl variations 9.2.5 by means of 9.4.5, in line with safety researcher Egidio Romano, who found and reported the flaw in early November 2024.

The HTTP response splitting flaws have been uncovered within the following URI paths –

  • /nonauth/addCertException.cs
  • /nonauth/guestConfirm.cs
  • /nonauth/expiration.cs

“User input passed to these pages via the ‘dest’ GET parameter is not properly sanitized before being used to generate a ‘Location’ HTTP header in a 302 HTTP response,” Romano mentioned.

“Specifically, the application does not correctly filter/remove line feed (LF) characters. This can be exploited to perform HTTP Response Splitting attacks, which, in turn, might allow it to carry out reflected cross-site scripting (XSS) and possibly other attacks.”

A repair for the vulnerability was launched by GFI on December 19, 2024, with model 9.4.5 Patch 1. A proof-of-concept (PoC) exploit has since been made out there.

Particularly, an adversary might craft a malicious URL such that an administrator consumer clicking on it triggers the execution of the PoC hosted on an attacker-controlled server, which then uploads a malicious .img file by way of the firmware improve performance, granting root entry to the firewall.

Cybersecurity

Menace intelligence agency GreyNoise has reported that exploitation makes an attempt focusing on CVE-2024-52875 commenced again on December 28, 2024, with the assaults originating from seven distinctive IP addresses from Singapore and Hong Kong up to now.

In response to Censys, there are greater than 23,800 internet-exposed GFI KerioControl situations. A majority of those servers are positioned in Iran, Uzbekistan, Italy, Germany, america, Czechia, Belarus, Ukraine, Russia, and Brazil.

The precise nature of the assaults exploiting the flaw is presently not identified. Customers of KerioControl are suggested to take steps to safe their situations as quickly as potential to mitigate potential threats.

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we submit.

Recent articles

U.S. Sanctions Chinese language Cybersecurity Agency Over Treasury Hack Tied to Silk Hurricane

The U.S. Treasury Division's Workplace of International Property Management...

FTC cracks down on Genshin Impression gacha loot field practices

Genshin Impression developer Cognosphere (aka Hoyoverse)...

New ‘Sneaky 2FA’ Phishing Package Targets Microsoft 365 Accounts with 2FA Code Bypass

Jan 17, 2025Ravie LakshmananCybersecurity / Menace Intelligence Cybersecurity researchers have...