Menace actors are trying to reap the benefits of a just lately disclosed security flaw impacting GFI KerioControl firewalls that, if efficiently exploited, may enable malicious actors to realize distant code execution (RCE).
The vulnerability in query, CVE-2024-52875, refers to a carriage return line feed (CRLF) injection assault, paving the best way for HTTP response splitting, which may then result in a cross-site scripting (XSS) flaw.
Profitable exploitation of the 1-click RCE flaw permits an attacker to inject malicious inputs into HTTP response headers by introducing carriage return (r) and line feed (n) characters.
The flaw impacts KerioControl variations 9.2.5 by 9.4.5, in response to security researcher Egidio Romano, who found and reported the flaw in early November 2024.
The HTTP response splitting flaws have been uncovered within the following URI paths –
- /nonauth/addCertException.cs
- /nonauth/guestConfirm.cs
- /nonauth/expiration.cs
“Consumer enter handed to those pages through the ‘dest’ GET parameter shouldn’t be correctly sanitized earlier than getting used to generate a ‘Location’ HTTP header in a 302 HTTP response,” Romano stated.
“Particularly, the appliance doesn’t accurately filter/take away line feed (LF) characters. This may be exploited to carry out HTTP Response Splitting assaults, which, in flip, may enable it to hold out mirrored cross-site scripting (XSS) and presumably different assaults.”
A repair for the vulnerability was launched by GFI on December 19, 2024, with model 9.4.5 Patch 1. A proof-of-concept (PoC) exploit has since been made accessible.
Particularly, an adversary may craft a malicious URL such that an administrator person clicking on it triggers the execution of the PoC hosted on an attacker-controlled server, which then uploads a malicious .img file through the firmware improve performance, granting root entry to the firewall.
Menace intelligence agency GreyNoise has reported that exploitation makes an attempt concentrating on CVE-2024-52875 commenced again on December 28, 2024, with the assaults originating from seven distinctive IP addresses from Singapore and Hong Kong so far.
Based on Censys, there are greater than 23,800 internet-exposed GFI KerioControl situations. A majority of those servers are positioned in Iran, Uzbekistan, Italy, Germany, the USA, Czechia, Belarus, Ukraine, Russia, and Brazil.
The precise nature of the assaults exploiting the flaw is presently not identified. Customers of KerioControl are suggested to take steps to safe their situations as quickly as doable to mitigate potential threats.
