Analysis Summary

A recently revealed security vulnerability affecting GFI KerioControl firewalls is being targeted by threat actors to gain remote code execution (RCE), which could be accomplished by malicious actors if it is successfully exploited.

A carriage return line feed (CRLF) injection attack is the source of the aforementioned vulnerability, CVE-2024-52875, which opens the door for HTTP response splitting and may subsequently result in cross-site scripting (XSS) vulnerability. An attacker can introduce malicious inputs into HTTP response headers by adding carriage return (\r) and line feed (\n) characters if the 1-click RCE flaw is successfully exploited.

Security researchers found and disclosed the vulnerability in early November 2024, and it affects KerioControl versions 9.2.5 through 9.4.5. Before being used to create a 'Location' HTTP header in a 302 HTTP response, user input sent to these pages via the 'dest' GET parameter is not adequately cleaned. In particular, line feed (LF) characters are not properly filtered or removed by the application. It may be able to execute reflected cross-site scripting (XSS) and potentially other attacks by using this to execute HTTP Response Splitting attacks.

On December 19, 2024, GFI published version 9.4.5 Patch 1, which addressed the vulnerability. Since then, a proof-of-concept (PoC) exploit has been released. In particular, a malicious URL might be created so that when an administrator user clicks on it, the PoC stored on a server under the attacker's control is executed. The server then uploads a malicious .img file via the firmware upgrade feature, giving the attacker root access to the firewall.

Exploitation efforts against CVE-2024-52875 started on December 28, 2024, and have so far come from seven distinct IP addresses in Singapore and Hong Kong. Over 23,800 instances of GFI KerioControl are exposed to the internet. Iran, Uzbekistan, Italy, Germany, the United States, Czechia, Belarus, Ukraine, Russia, and Brazil are home to the majority of these servers. As of right now, it is unknown exactly what kind of attacks are leveraging the vulnerability. To lessen any risks, KerioControl users are encouraged to secure their instances as soon as feasible.

Impact

• Code Execution
• Cross-Site Scripting

Indicators of Compromise

CVE

• CVE-2024-52875

Affected Vendors

Remediation

• Upgrade to the latest version of GFI Kerio Control, available from the GFI Website.
• Organizations must test their assets for the vulnerability mentioned above and apply the available security patch or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.