CVE-2024-32384
📋 TL;DR
Kerlink gateways running KerOS versions before 5.10 expose their web interface over unencrypted HTTP only, without HTTPS support. This allows man-in-the-middle attackers to intercept, read, and modify traffic between clients and the gateway. Organizations using affected Kerlink IoT gateways are vulnerable.
💻 Affected Systems
- Kerlink gateways running KerOS
📦 What is this software?
Keros by Kerlink
⚠️ Risk & Real-World Impact
Worst Case
Attackers could intercept administrative credentials, modify gateway configurations, inject malicious firmware updates, or disrupt IoT network operations.
Likely Case
Credential theft leading to unauthorized gateway access, configuration changes, or traffic interception of IoT device communications.
If Mitigated
Limited to denial-of-service attacks if strong authentication and network segmentation are in place, but traffic confidentiality remains compromised.
🎯 Exploit Status
Requires man-in-the-middle position but uses standard HTTP interception techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: KerOS 5.10
Vendor Advisory: https://keros.docs.kerlink.com/security/security_advisories_kerOS5
Restart Required: Yes
Instructions:
1. Download KerOS 5.10 from Kerlink support portal. 2. Backup current configuration. 3. Apply firmware update via web interface or CLI. 4. Verify HTTPS is enabled and HTTP is disabled in interface settings.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Kerlink gateways on separate VLANs with strict firewall rules limiting access to management interfaces.
Reverse Proxy with TLS Termination
linuxPlace a reverse proxy (nginx, Apache) in front of gateways to add HTTPS encryption and restrict direct HTTP access.
# Example nginx config snippet:
server {
listen 443 ssl;
server_name gateway.example.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
location / {
proxy_pass http://gateway-ip:80;
proxy_set_header Host $host;
}
}
🧯 If You Can't Patch
- Deploy network-level encryption (IPsec/VPN tunnels) between management clients and gateways.
- Implement strict network access controls allowing only trusted IPs to connect to gateway web interfaces.
🔍 How to Verify
Check if Vulnerable:
Access gateway web interface via HTTP (not HTTPS) and check KerOS version in admin panel. If version <5.10 and HTTPS unavailable, vulnerable.Check Version:
curl -s http://[gateway-ip]/api/version || Check web interface login pageVerify Fix Applied:
Confirm KerOS version is 5.10+ and web interface is accessible only via HTTPS (HTTP should redirect or be disabled).📡 Detection & Monitoring
Log Indicators:
- Failed HTTPS connection attempts
- Unusual admin login locations/times
- Configuration change logs without authorized user
Network Indicators:
- HTTP traffic to gateway management ports (typically 80)
- Lack of HTTPS traffic to gateways
- ARP spoofing or unusual routing near gateways
SIEM Query:
source_ip=[gateway-ip] AND (protocol=HTTP OR port=80) AND NOT (user=authorized_admin)