Summary:
Threat actors are actively attempting to exploit CVE-2024-52875, a critical CRLF injection vulnerability in the GFI KerioControl firewall, which can lead to 1-click remote code execution (RCE) attacks. KerioControl is a network security solution tailored for small and medium-sized businesses, offering features such as firewall protection, VPN, bandwidth management, traffic filtering, antivirus, reporting, and intrusion prevention. On December 16, 2024, security researcher Egidio Romano (EgiX) published a detailed report on CVE-2024-52875, showing how a seemingly minor HTTP response splitting issue can be exploited to trigger a remote code execution attack with just a single click.

Security Officer Comments:
The vulnerability affects KerioControl versions 9.2.5 to 9.4.5 and arises from improper sanitization of line feed (LF) characters in the 'dest' parameter, allowing attackers to manipulate HTTP headers and responses through injected payloads. This flaw enables the injection of malicious JavaScript into responses, which is executed in the victim's browser, potentially leading to the theft of cookies or CSRF tokens. An attacker could then use a stolen CSRF token from an authenticated admin to upload a malicious .IMG file containing a root-level shell script. This exploit leverages the Kerio upgrade functionality, allowing the attacker to open a reverse shell and gain remote control.

Suggested Corrections:
According to security firm Censys, there are approximately 23,862 GFI KerioControl instances exposed to the internet. While its unclear exactly how many of these instances are vulnerable to CVE-2024-52875, organizations should apply the latest patch (version 9.4.5p1) to prevent potential exploitation. f patching is not currently feasible, administrators should restrict access to KerioControl's web management interface by allowing only trusted IP addresses and block public access to the '/admin' and '/noauth' pages through firewall rules.

Link(s):
https://karmainsecurity.com/hacking-kerio-control-via-cve-2024-52875

https://censys.com/cve-2024-52875/

https://www.bleepingcomputer.com/ne...rol-firewall-flaw-to-steal-admin-csrf-tokens/