egix@karmainsecurity ~ $

GFI Kerio Control <= 9.4.5 Multiple HTTP Response Splitting Vulnerabilities

• Software Links:

https://gfi.ai/products-and-solutions/network-security-solutions/keriocontrol

http://download.kerio.com

• Affected Versions:

All versions from 9.2.5 to 9.4.5.

• Vulnerabilities Description:

There are multiple HTTP Response Splitting vulnerabilities in GFI Kerio Control. Following are some of the affected pages:

  • /nonauth/addCertException.cs
  • /nonauth/guestConfirm.cs
  • /nonauth/expiration.cs

User input passed to these pages via the “dest” GET parameter is not properly sanitized before being used to generate a “Location” HTTP header in a 302 HTTP response. Specifically, the application does not correctly filter/remove linefeed (LF) characters. This can be exploited to perform HTTP Response Splitting attacks, which in turn might allow to carry out Reflected Cross-Site Scripting (XSS) and possibly other attacks.

NOTE: the Reflected XSS vector might be abused to perform 1-click Remote Code Execution (RCE) attacks.

• Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2024-52875.php

• Solution:

No official solution is currently available.

• Disclosure Timeline:

[06/11/2024] – Vulnerabilities details sent to the vendor

[07/11/2024] – Vendor response stating “we’ll take steps to resolve these vulnerabilities in coming releases of Kerio Control”

[07/11/2024] – CVE identifier requested

[17/11/2024] – CVE identifier assigned

[17/11/2024] – Vendor was contacted inquiring about the ETA for the next Kerio Control release; no response

[28/11/2024] – Vendor was contacted again and provided with a 1-click RCE Proof of Concept script, emphasizing these should be considered high-risk vulnerabilities that should be addressed as soon as possible

[28/11/2024] – Vendor response stating “thank you very much for this information, I will immediately consult with rest of the team”

[03/12/2024] – Vendor email stating “would you mind to share with us any script you used while exploiting the vulnerabilities?”

[03/12/2024] – Proof of Concept script and replication steps sent to the vendor, along with a follow-up inquiry about the ETA for a patched Kerio Control version; no response

[06/12/2024] – Vendor was informed that public disclosure is scheduled to occur within two weeks

[11/12/2024] – Vendor response stating “these vulnerabilities were already fixed and will be part of Kerio Control 9.4.5p1 which is now with our internal QA team”

[16/12/2024] – Public disclosure

• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2024-52875 to these vulnerabilities.

• Credits:

Vulnerabilities discovered by Egidio Romano.