CVE-2024-39148
📋 TL;DR
CVE-2024-39148 allows unauthenticated remote attackers to execute arbitrary operating system commands as root on KerOS systems by exploiting improper validation of 'magic URLs' in the wmp-agent service. This affects KerOS versions prior to 5.12 when the service is network-accessible. Organizations using vulnerable KerOS versions with wmp-agent exposed to network traffic are at risk.
💻 Affected Systems
- KerOS
📦 What is this software?
Keros by Kerlink
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with root-level command execution, enabling data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Remote code execution leading to unauthorized access, lateral movement within the network, and potential data exfiltration.
If Mitigated
Limited impact if service is properly firewalled to localhost only, though local attackers could still exploit it.
🎯 Exploit Status
Exploitation requires network access to the wmp-agent service, which is often firewalled by default but may be exposed in some deployments.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: KerOS 5.12
Vendor Advisory: https://keros.docs.kerlink.com/security/security_advisories_kerOS5
Restart Required: Yes
Instructions:
1. Download KerOS 5.12 from official vendor sources. 2. Apply the update following KerOS upgrade procedures. 3. Restart affected systems to ensure wmp-agent service runs patched version.
🔧 Temporary Workarounds
Network Isolation
linuxConfigure firewall rules to restrict wmp-agent service to localhost only, preventing remote exploitation.
iptables -A INPUT -p tcp --dport [wmp-agent-port] -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport [wmp-agent-port] -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate KerOS systems from untrusted networks.
- Deploy host-based intrusion detection systems to monitor for command execution anomalies on KerOS devices.
🔍 How to Verify
Check if Vulnerable:
Check KerOS version with 'keros-version' command and verify if wmp-agent service is listening on network interfaces using 'netstat -tlnp | grep wmp-agent'.Check Version:
keros-versionVerify Fix Applied:
Confirm KerOS version is 5.12 or later and validate wmp-agent service no longer accepts malicious magic URL requests through security testing.📡 Detection & Monitoring
Log Indicators:
- Unusual wmp-agent service activity, unexpected command execution logs, or failed authentication attempts to the service.
Network Indicators:
- Network traffic to wmp-agent service from unauthorized sources, especially containing suspicious URL patterns.
SIEM Query:
source="keros" AND (process="wmp-agent" AND (url="*magic*" OR command="*"))