A serious vulnerability existed in the Kerio Control security software that could allow code execution attacks. The vulnerability existed in the platform for several years, affecting multiple versions. Users should apply the security fixes at the earliest to prevent potential threats.
Kerio Control Vulnerability Could Allow Code Execution
Security researcher Egidio Romano discovered a serious security issue in the Kerio Control software. KerioControl is a dedicated Unified Threat Management (UTM) solution from GFI Software that helps firms secure their internal networks.
As explained in his post, the security solution had numerous vulnerabilities that could allow arbitrary code execution. Identified as CVE-2024-52875, these vulnerabilities affected the software versions 9.2.5 through 9.4.5, hinting at the sheer number of users potentially at risk. Since version 9.2.5 was first released in 2018, the software was riddled with these vulnerabilities for roughly six years.
Specifically, the researcher discovered multiple HTTP Response Splitting vulnerabilities affecting at least the following pages,
- /nonauth/addCertException.cs
- /nonauth/guestConfirm.cs
- /nonauth/expiration.cs
The flaws existed due to improper sanitization of user input passed via the “dest” GET parameter before generating a “Location” HTTP header in a 302 HTTP response. The app’s lack of sanitization for linefeed (LF) characters consequently allows performing Open Redirect, HTTP Response Splitting and Reflected XSS attacks. In worst scenarios, an adversary may even gain arbitrary code execution on the target systems. In his post, the researcher has presented a detailed technical analysis of these exploits.
Following this discovery, Romano quickly pinged the vendors to address the matter. While the vulnerability initially seemed a low-severity issue, Romano recognized its high severity, considering how the flaws could be chained for 1-click RCE attacks and to gain root access to the firewall. An adversary could access the target organization’s internal network structure.
In response to his report, the vendors patched the vulnerability with KerioControl 9.4.5p1, as confirmed to the researcher. This updated release will soon reach the customers to patch vulnerable systems. Until then, users may consider applying mitigations, such as restricting software access to trusted networks and admins, implementing strict input validation to prevent CRLF injection, and ensuring thorough employee awareness regarding the flaw.
Let us know your thoughts in the comments.