CVE-2024-52875 - Critical Vulnerability in GFI Kerio Control 9.2.5 to 9.4.5: Open Redirect, HTTP Response Splitting, and Remote Code Execution

A critical security vulnerability, CVE-2024-52875, has been discovered in GFI Kerio Control, a widely used firewall and UTM solution. This vulnerability affects versions 9.2.5 through 9.4.5 and can be exploited by remote attackers to perform open redirect or HTTP response splitting attacks, ultimately leading to reflected cross-site scripting (XSS) and remote command execution. Users running vulnerable versions of GFI Kerio Control are advised to update to the latest version immediately to mitigate the risk posed by this vulnerability.

Details

This vulnerability stems from the improper sanitization of the "dest" GET parameter passed to the /nonauth/addCertException.cs, /nonauth/guestConfirm.cs, and /nonauth/expiration.cs pages. This malformed input is then used to generate a Location HTTP header in a 302 HTTP response.

Exploit

An attacker can craft malicious URLs containing the exploit to perform open redirect or HTTP response splitting attacks. If a victim clicks on the malicious URL, their browser will execute the attacker's injected script, leading to reflected XSS. Moreover, remote command execution can be accomplished by abusing the upgrade feature in the admin interface.

The following code snippet demonstrates the exploitation of this vulnerability

GET /nonauth/guestConfirm.cs?dest=%d%[malicious_code_here] HTTP/1.1
Host: vulnerable_host
Connection: close
Pragma: no-cache

Original References

This vulnerability was originally reported by [Security Researcher's Name] and is documented in the following reference links:
1. CVE-2024-52875 official CVE page (MITRE): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52875
2. National Vulnerability Database (NVD) Detailed Report: https://nvd.nist.gov/vuln/detail/CVE-2024-52875
3. GFI Kerio Control vendor page: https://www.gfi.com/products-and-solutions/network-security-solutions/kerio-control

Mitigation

In order to mitigate the risk posed by this vulnerability, users are advised to update their GFI Kerio Control installations to the latest version immediately. Additionally, users should always be cautious when clicking on links from untrusted sources and should not allow unauthorized access to their web applications' admin interface.

Conclusion

CVE-2024-52875 is a critical security vulnerability in GFI Kerio Control, which allows remote attackers to perform open redirect, HTTP response splitting, and remote code execution. This vulnerability highlights the importance of proper input validation and sanitization in web applications, as well as keeping software up-to-date to protect against known vulnerabilities. Users must apply the latest updates to their installations and should always exercise caution when interacting with online content to prevent falling victim to similar attacks.

Timeline

Published on: 01/31/2025 08:15:07 UTC