Threat actors attempt to take advantage of a newly discovered security flaw that affects GFI KerioControl firewalls that, if successfully exploited, could allow attackers to achieve remote code execution (RCE).
The vulnerability under question CVE-2024-52875refers to a carriage return string transmission (CRLF) injection attack, paving the way for Splitting the HTTP responsewhich could lead to a cross-site scripting (XSS) flaw.
Successful exploitation of the 1-click RCE flaw allows an attacker to inject malicious input into HTTP response headers by entering carriage return (\r) and line feed (\n) characters.
The issue affects KerioControl versions 9.2.5 – 9.4.5, according to security researcher Egidio Romano, who discovered and reported shortage in early November 2024.
HTTP response splitting errors were detected in the following URI paths −
- /nonauth/addCertException.cs
- /nonauth/guestConfirm.cs
- /nonauth/expiration.cs
“User input passed to these pages via the ‘dest’ GET parameter is not properly sanitized before being used to create the ‘Location’ HTTP header in the HTTP 302 response,” Romana said.
“Specifically, the application does not properly filter/remove line feed (LF) characters. This could be used to perform HTTP Response Splitting attacks, which in turn could allow it to perform reflected cross-site scripting (XSS) and possibly other attacks.”
A patch for the vulnerability was released by GFI on December 19, 2024. with version 9.4.5 Patch 1. Since then, a proof-of-concept (PoC) exploit has become available.
Specifically, an adversary can craft a malicious URL such that an administrator user clicks on it to trigger the execution of a PoC hosted on an attacker-controlled server, which then downloads a malicious .img file via the firmware update function, providing root access to the firewall.
GreyNoise is a threat intelligence company reported that attempts to exploit CVE-2024-52875 began as early as December 28, 2024, and to date attacks have originated from seven unique IP addresses from Singapore and Hong Kong.
According to Censysthere are over 23,800 instances of GFI KerioControl available online. Most of these servers are located in Iran, Uzbekistan, Italy, Germany, USA, Czech Republic, Belarus, Ukraine, Russia and Brazil.
The exact nature of attacks exploiting the flaw is currently unknown. KerioControl users are advised to take measures to protect their instances as soon as possible to reduce possible threats.
