1-Click RCE Attack in Kerio Control UTM Let Attackers Gain Root Access To the Firewall

Researchers have identified a critical set of HTTP Response Splitting vulnerabilities in Kerio Control, a widely used Unified Threat Management (UTM) solution developed by GFI Software.

The impact is severe, potentially enabling attackers to escalate low-severity issues into one-click remote command execution (RCE) attacks that grant root access to the firewall system.

These vulnerabilities, collectively tracked as CVE-2024-52875 (or KIS-2024-07), have persisted in the software for nearly seven years and affect versions from 9.2.5 (released March 2018) to 9.4.5.

HTTP Response Splitting Vulnerabilities

The vulnerabilities stem from a CRLF Injection bug in several pages of the web interface, including:

• /nonauth/addCertException.cs
• /nonauth/guestConfirm.cs
• /nonauth/expiration.cs

The issue involves the improper sanitization of user input passed via the dest GET parameter, which is used to generate a “Location” HTTP header in a 302 Found response.

“Specifically, the application fails to strip Line Feed (LF) characters (\n), allowing attackers to exploit the software for malicious activities such as HTTP Response Splitting, Open Redirects, and Reflected Cross-Site Scripting (XSS)” Karmain Security research stated.

How the Exploit Works

By injecting payloads encoded in Base64 into the dest parameter, attackers can manipulate the HTTP response to inject arbitrary HTTP headers and even custom HTML content. For example:

1. Open Redirect Attacks: Injecting a malicious URL as the dest parameter can redirect users to external websites controlled by attackers.
2. HTTP Response Splitting: Attackers can exploit improperly handled LF sequences to split HTTP responses, injecting arbitrary data into the response body. This enables reflected XSS attacks where custom scripts execute in the victim’s browser.

Initially classified as a “Low” severity issue due to the need for user interaction, further analysis revealed the vulnerabilities could be escalated to High (8.8) severity. By leveraging a nine-year-old exploit in Kerio Control’s upgrade functionality, attackers can deliver a Remote Command Execution (RCE) payload in just one click.

Stealing Admin Cookies: By using an iframe to load resources under the /admin/ path, attackers can bypass cookie restrictions and access the CSRF token required for administrative actions.

Abusing Upgrade Functionality: The exploit abuses Kerio Control’s firmware upgrade feature, which improperly handles .img files. Attackers can package a malicious script in a .tar.gz file, rename it to .img, and upload it as a firmware update. If the script contains shell commands, they execute with root privileges.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

1-Click RCE Attack

A Proof of Concept (PoC) script demonstrates how a victim Kerio Control admin can be tricked into visiting a malicious link:

1. The attacker creates a malicious .img file containing a shell script that starts a reverse shell.
2. The admin user unknowingly triggers the script by clicking the attacker’s link.
3. Using the admin’s CSRF token, the exploit uploads the .img file as a firmware upgrade.
4. The attacker gains a root shell on the Kerio Control instance.

When executed, the attacker can control the system with root permissions, effectively bypassing all security measures.

Kerio Control is trusted to safeguard networks across the globe. With approximately 20,000 instances actively deployed on the internet, according to Censys data, these vulnerabilities pose a major threat to organizations relying on the software to secure their infrastructure.

The discovery of CVE-2024-52875 underscores several critical cybersecurity lessons:

• Even Security Products Are Vulnerable: Products designed to protect from attacks may themselves be vectors for exploitation if not rigorously maintained.
• Old Exploits Persist: The exploit used in this case stems from a vulnerability disclosed nearly a decade ago and has not been mitigated, highlighting a worrying gap in code audits and updates.
• Attackers Think Creatively: Combining techniques like XSS, cookie theft, and firmware abuse demonstrates how attackers can escalate seemingly minor issues into devastating breaches.

GFI released a fix on December 19, 2024, to address the vulnerability. Users are urged to update to Version 9.4.5 Patch 2.

While Kerio Control remains a critical tool for network defense, these findings urge greater vigilance in ensuring that security products themselves are protected against attack. Security is not a destination it’s an ongoing process.

2024 MITRE ATT&CK Evaluation Results Released for SMEs & MSPs -> Download Free Guide