Cybercriminals are exploiting a recently identified vulnerability affecting GFI KerioControl firewalls. This flaw, if successfully leveraged, may enable remote code execution (RCE) by malicious actors.
The vulnerability, listed as CVE-2024-52875, pertains to a carriage return line feed (CRLF) injection attack, which can facilitate HTTP response splitting. Such an exploit may also lead to cross-site scripting (XSS) vulnerabilities.
When attackers exploit this 1-click RCE vulnerability, they can inject harmful inputs into HTTP response headers through the inclusion of carriage return (\r) and line feed (\n) characters. Security expert Egidio Romano, who uncovered and reported this vulnerability in November 2024, confirmed that it affects KerioControl versions 9.2.5 to 9.4.5.
This CRLF injection flaw has been detected in specific URI paths, including /nonauth/addCertException.cs, /nonauth/guestConfirm.cs, and /nonauth/expiration.cs. Romano indicated that user input passed to these pages via the ‘dest’ GET parameter is insufficiently sanitized before being utilized to generate an HTTP ‘Location’ header in a 302 HTTP response. The application fails to correctly filter or eliminate line feed characters, which can lead to HTTP response splitting attacks and potentially allow reflected XSS and other forms of attack.
On December 19, 2024, GFI released a patch in version 9.4.5 Patch 1 to rectify the vulnerability. A proof-of-concept (PoC) exploit has also been made available. This PoC allows an adversary to create a malicious URL that, when clicked by an administrator user, executes the exploit hosted on an attacker-controlled server. This can enable the upload of a harmful .img file via the firewall’s firmware upgrade feature, potentially granting root access.
Threat intelligence organization GreyNoise has reported that attempts to exploit CVE-2024-52875 began on December 28, 2024. Notably, attacks have originated from various IP addresses located in Singapore and Hong Kong. Current data from Censys indicates there are over 23,800 instances of GFI KerioControl exposed on the internet, with a significant concentration in countries including Iran, Uzbekistan, Italy, Germany, the United States, Czechia, Belarus, Ukraine, Russia, and Brazil.
The nature of the attacks exploiting this vulnerability remains unclear. However, users of KerioControl are urged to secure their installations promptly to mitigate any potential threats. Given the nature of the vulnerability, tactics such as initial access and privilege escalation may be relevant as outlined in the MITRE ATT&CK framework, highlighting the need for vigilance against sophisticated cyber threats.
