CVE-2024-52875
📋 TL;DR
This vulnerability in GFI Kerio Control allows attackers to perform open redirect, HTTP response splitting, and reflected cross-site scripting (XSS) attacks via unsanitized input in certain web pages. It can escalate to remote command execution by leveraging the admin interface's upgrade feature. Affected users are those running vulnerable versions of GFI Kerio Control, particularly if exposed to untrusted networks.
💻 Affected Systems
- GFI Kerio Control
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote command execution leading to full system compromise, data theft, or ransomware deployment via the admin upgrade feature.
Likely Case
Reflected XSS or open redirect attacks enabling session hijacking, phishing, or credential theft against users.
If Mitigated
Limited impact if patched or network-isolated, with potential for minor data exposure but no system takeover.
🎯 Exploit Status
Exploitation requires crafting malicious URLs but does not need authentication; escalation to RCE involves additional steps in the admin interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 9.4.6 or later
Vendor Advisory: https://support.kerio.com/
Restart Required: No
Instructions:
1. Log into the Kerio Control admin interface. 2. Navigate to the update section. 3. Apply the latest patch to upgrade to version 9.4.6 or higher. 4. Verify the update completes successfully.
🔧 Temporary Workarounds
Block Access to Vulnerable Pages
allUse firewall rules or web application filters to block external access to /nonauth/addCertException.cs, /nonauth/guestConfirm.cs, and /nonauth/expiration.cs.
🧯 If You Can't Patch
- Isolate the Kerio Control instance from untrusted networks using network segmentation.
- Implement strict input validation and output encoding at the web server level to mitigate XSS and redirect attacks.
🔍 How to Verify
Check if Vulnerable:
Check the Kerio Control version via the admin interface; if it is between 9.2.5 and 9.4.5 inclusive, it is vulnerable.Check Version:
In Kerio Control admin, go to Dashboard or System Status to view the current version.Verify Fix Applied:
After patching, confirm the version is 9.4.6 or later and test that crafted URLs to the vulnerable pages no longer trigger redirects or XSS.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP 302 redirects from /nonauth/ pages with suspicious dest parameters in web server logs.
Network Indicators:
- HTTP requests containing crafted dest parameters targeting the vulnerable endpoints.
SIEM Query:
source="kerio_control" AND (url_path="/nonauth/addCertException.cs" OR url_path="/nonauth/guestConfirm.cs" OR url_path="/nonauth/expiration.cs") AND http_status=302 AND query_string="*dest=*"