-1.9 C
New York
Saturday, January 11, 2025

Crucial RCE Flaw in GFI KerioControl Permits Distant Code Execution through CRLF Injection


Jan 09, 2025Ravie LakshmananVulnerability / Menace Intelligence

Crucial RCE Flaw in GFI KerioControl Permits Distant Code Execution through CRLF Injection

Menace actors try to make the most of a lately disclosed safety flaw impacting GFI KerioControl firewalls that, if efficiently exploited, might permit malicious actors to realize distant code execution (RCE).

The vulnerability in query, CVE-2024-52875, refers to a carriage return line feed (CRLF) injection assault, paving the way in which for HTTP response splitting, which might then result in a cross-site scripting (XSS) flaw.

Profitable exploitation of the 1-click RCE flaw permits an attacker to inject malicious inputs into HTTP response headers by introducing carriage return (r) and line feed (n) characters.

Cybersecurity

The flaw impacts KerioControl variations 9.2.5 by means of 9.4.5, in accordance with safety researcher Egidio Romano, who found and reported the flaw in early November 2024.

The HTTP response splitting flaws have been uncovered within the following URI paths –

  • /nonauth/addCertException.cs
  • /nonauth/guestConfirm.cs
  • /nonauth/expiration.cs

“Consumer enter handed to those pages through the ‘dest’ GET parameter is just not correctly sanitized earlier than getting used to generate a ‘Location’ HTTP header in a 302 HTTP response,” Romano mentioned.

“Particularly, the applying doesn’t appropriately filter/take away line feed (LF) characters. This may be exploited to carry out HTTP Response Splitting assaults, which, in flip, may permit it to hold out mirrored cross-site scripting (XSS) and presumably different assaults.”

A repair for the vulnerability was launched by GFI on December 19, 2024, with model 9.4.5 Patch 1. A proof-of-concept (PoC) exploit has since been made obtainable.

Particularly, an adversary might craft a malicious URL such that an administrator consumer clicking on it triggers the execution of the PoC hosted on an attacker-controlled server, which then uploads a malicious .img file through the firmware improve performance, granting root entry to the firewall.

Cybersecurity

Menace intelligence agency GreyNoise has reported that exploitation makes an attempt focusing on CVE-2024-52875 commenced again on December 28, 2024, with the assaults originating from seven distinctive IP addresses from Singapore and Hong Kong to this point.

Based on Censys, there are greater than 23,800 internet-exposed GFI KerioControl cases. A majority of those servers are situated in Iran, Uzbekistan, Italy, Germany, the US, Czechia, Belarus, Ukraine, Russia, and Brazil.

The precise nature of the assaults exploiting the flaw is presently not identified. Customers of KerioControl are suggested to take steps to safe their cases as quickly as potential to mitigate potential threats.

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.



Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles