Ethical Hacking News
A recently disclosed vulnerability in GFI KerioControl firewalls allows for remote code execution via CRLF injection attacks, making it essential for users to apply available patches and implement additional security measures to prevent exploitation. This critical RCE flaw has the potential to have far-reaching consequences, emphasizing the need for proactive vigilance in addressing emerging threats.
The GFI KerioControl firewall has a Critical RCE (Remote Code Execution) flaw that allows for code injection via CRLF injection attacks. The vulnerability affects KerioControl versions 9.2.5 through 9.4.5 due to improper sanitization of user input in specific URI paths. The attack can lead to HTTP Response Splitting, reflected cross-site scripting (XSS), and potentially other attacks. There are over 23,800 internet-exposed GFI KerioControl instances, with many located in high-risk countries. Users are advised to apply available patches or updates and implement additional security measures to prevent exploitation. A fix was released by GFI on December 19, 2024, for affected versions.
Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection
In a recent development that has sent shockwaves through the cybersecurity community, a vulnerability has been disclosed in GFI KerioControl firewalls that allows for remote code execution (RCE) via carriage return line feed (CRLF) injection attacks. This significant flaw was first reported by security researcher Egidio Romano in early November 2024 and has since been identified as CVE-2024-52875.
The vulnerability, which affects KerioControl versions 9.2.5 through 9.4.5, is a result of improper sanitization of user input in specific URI paths. Specifically, the application does not correctly filter/remove line feed (LF) characters from user input before using it to generate a 'Location' HTTP header in a 302 HTTP response.
This vulnerability can be exploited by an attacker to perform HTTP Response Splitting attacks, which can then lead to reflected cross-site scripting (XSS) and potentially other attacks. The severity of this flaw is high, as it allows for arbitrary code execution on the affected system.
A proof-of-concept (PoC) exploit has since been made available, demonstrating the potential impact of this vulnerability. In a demonstration of the exploit's effectiveness, an adversary could craft a malicious URL that triggers the execution of the PoC hosted on an attacker-controlled server, which then uploads a malicious .img file via the firmware upgrade functionality, granting root access to the firewall.
Threat intelligence firm GreyNoise has reported that exploitation attempts targeting CVE-2024-52875 commenced back on December 28, 2024, with the attacks originating from seven unique IP addresses from Singapore and Hong Kong to date. Furthermore, Censys has revealed that there are more than 23,800 internet-exposed GFI KerioControl instances, with a majority of these servers located in Iran, Uzbekistan, Italy, Germany, the United States, Czechia, Belarus, Ukraine, Russia, and Brazil.
In light of this vulnerability, users of GFI KerioControl firewalls are strongly advised to take immediate action to secure their instances as soon as possible. This includes applying any available patches or updates to affected versions and implementing additional security measures to prevent exploitation.
A fix for the vulnerability was released by GFI on December 19, 2024, with version 9.4.5 Patch 1. The release of this patch serves as a timely reminder of the importance of regular software updates and the need for vigilance in addressing emerging vulnerabilities.
The disclosure of this vulnerability highlights the ongoing cat-and-mouse game between cybersecurity professionals and threat actors. As new vulnerabilities are discovered, it is essential that organizations prioritize proactive security measures to prevent exploitation.
In conclusion, the newly disclosed vulnerability in GFI KerioControl firewalls underscores the critical importance of keeping software up-to-date and vigilant in addressing emerging threats.
Related Information:
Published: Thu Jan 9 04:52:10 2025 by llama3.2 3B Q4_K_M
