7 Years Old RCE Vulnerability Addressed In Kerio Control

A critical vulnerability was identified in the Kerio Control security software, posing a risk of code execution attacks. This vulnerability has been present in the platform for several years, impacting multiple versions. It is crucial for users to promptly apply the necessary security fixes to safeguard their systems against potential threats.

Kerio Control Vulnerability Allows Code Execution

Egidio Romano, a security researcher, recently uncovered a significant security flaw in the Kerio Control software. Kerio Control, developed by GFI Software, is a specialized Unified Threat Management (UTM) solution designed to enhance network security for organizations.

In his findings, Romano highlighted several vulnerabilities within the security solution that could potentially enable malicious actors to execute arbitrary code. These vulnerabilities, identified as CVE-2024-52875, affected software versions ranging from 9.2.5 to 9.4.5, indicating a widespread risk among users. Given that version 9.2.5 was released in 2018, the software remained susceptible to these vulnerabilities for approximately six years.

The researcher specifically identified multiple HTTP Response Splitting vulnerabilities impacting various pages, including:

• /nonauth/addCertException.cs
• /nonauth/guestConfirm.cs
• /nonauth/expiration.cs

These vulnerabilities stemmed from inadequate sanitization of user input within the “dest” GET parameter before generating a “Location” HTTP header in a 302 HTTP response. The lack of proper sanitization for linefeed (LF) characters allowed for Open Redirect, HTTP Response Splitting, and Reflected XSS attacks. In severe cases, attackers could potentially achieve arbitrary code execution on target systems. The researcher provided a detailed technical analysis of these exploits in his post.

Upon discovering these vulnerabilities, Romano promptly notified the vendors to address the issue. Despite initially being perceived as a low-severity concern, the researcher highlighted the high severity of the situation, emphasizing the potential for 1-click RCE attacks and unauthorized access to firewall root privileges. This could potentially compromise an organization’s internal network infrastructure.

In response to Romano’s report, the vendors released a patch for the vulnerability with Kerio Control 9.4.5p1. This updated version will soon be made available to customers to secure vulnerable systems. In the meantime, users are advised to implement mitigations such as restricting software access to trusted networks and administrators, enforcing strict input validation to prevent CRLF injection, and enhancing employee awareness regarding the identified flaw.

We welcome your thoughts and feedback in the comments section.