Ethical Hacking News
Hackers have exploited a critical KerioControl firewall vulnerability, allowing them to steal admin CSRF tokens. Businesses using these products are urged to apply the latest patch as soon as possible to protect against exploitation attempts.
A critical vulnerability (CVE-2024-52875) in GFI KerioControl firewall product has been exploited by hackers, allowing them to steal admin Cross-Site Request Forgery (CSRF) tokens. The vulnerability can lead to one-click remote code execution (RCE) attacks due to a severe CRLF injection issue. The impact of the vulnerability is on KerioControl versions 9.2.5 through 9.4.5, making immediate action necessary for businesses using these products. The root cause lies in improper sanitization of line feed (LF) characters, allowing HTTP header and response manipulation via injected payloads. Exploitation attempts targeting the vulnerability have been detected from four distinct IP addresses, marked as "malicious" by threat scanning platforms. A total of 23,862 internet-exposed GFI KerioControl instances were observed, but it remains unclear how many are vulnerable to CVE-2024-52875. GFI Software released version 9.4.5 Patch 1 for the KerioControl product on December 19, 2024, addressing the issue; patching is highly recommended.
A recently discovered critical vulnerability in the GFI KerioControl firewall product has been exploited by hackers, allowing them to steal admin Cross-Site Request Forgery (CSRF) tokens. The vulnerability, identified as CVE-2024-52875, is a severe CRLF injection issue that can lead to one-click remote code execution (RCE) attacks.
In December 2024, security researcher Egidio Romano published a detailed writeup of the vulnerability, demonstrating how an initially low-severity HTTP response splitting problem could escalate to RCE. The vulnerability impacts KerioControl versions 9.2.5 through 9.4.5, making it crucial for businesses using these products to take immediate action.
The root cause of the issue lies in improper sanitization of line feed (LF) characters in the 'dest' parameter, allowing HTTP header and response manipulation via injected payloads. This vulnerability enables malicious JavaScript injection into responses, which is executed on the victim's browser. As a result, cookies or CSRF tokens are extracted by attackers.
According to threat scanning platform Greynoise, exploitation attempts targeting CVE-2024-52875 have been detected from four distinct IP addresses, possibly using the Proof-of-Concept (PoC) exploit code presented by Romano. The activity is marked as "malicious" by the platform, indicating that it is attributed to threat actors rather than researchers probing systems.
A more recent report by Censys revealed that 23,862 internet-exposed GFI KerioControl instances were observed. However, it remains unclear how many of these instances are vulnerable to CVE-2024-52875.
In response to this critical vulnerability, GFI Software released version 9.4.5 Patch 1 for the KerioControl product on December 19, 2024, which addresses the issue. It is highly recommended that users apply the patch as soon as possible.
For organizations unable to apply the patch immediately, admins are advised to limit access to KerioControl's web management interface to trusted IP addresses and disable public access to the '/admin' and '/noauth' pages via firewall rules. Additionally, monitoring for exploitation attempts targeting the 'dest' parameters and configuring shorter session expiration times can provide effective mitigations.
This vulnerability highlights the importance of staying up-to-date with security patches and implementing robust measures to protect against exploit attempts. Businesses using KerioControl products must prioritize patching their systems and educating their admins on how to navigate this critical issue.
Related Information:
https://www.bleepingcomputer.com/news/security/hackers-exploit-keriocontrol-firewall-flaw-to-steal-admin-csrf-tokens/
https://nvd.nist.gov/vuln/detail/CVE-2024-52875
https://www.cvedetails.com/cve/CVE-2024-52875/
Published: Wed Jan 8 16:01:16 2025 by llama3.2 3B Q4_K_M
