CVE-2024-52875
Published: 31 January 2025
Summary
CVE-2024-52875 is a high-severity HTTP Request/Response Splitting (CWE-113) vulnerability in Gfi Kerio Control. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates validation of the 'dest' GET parameter to block malicious inputs like CRLF characters or invalid URLs used in the Location header, directly preventing open redirects, response splitting, and reflected XSS.
SI-15 requires filtering of outputs in HTTP responses, such as sanitizing the Location header content derived from the 'dest' parameter to eliminate injected payloads leading to XSS or splitting.
SI-9 enforces restrictions on input types, lengths, and characters for parameters like 'dest', limiting opportunities for CRLF injection or oversized payloads in unauthenticated pages.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The HTTP Response Splitting (CRLF/LF injection) vulnerability in the unauthenticated web pages of GFI Kerio Control enables exploitation of a public-facing application (T1190) and remote services (T1210), facilitating reflected XSS, open redirects, and remote command execution via the admin upgrade feature.
NVD Description
An issue was discovered in GFI Kerio Control 9.2.5 through 9.4.5. The dest GET parameter passed to the /nonauth/addCertException.cs and /nonauth/guestConfirm.cs and /nonauth/expiration.cs pages is not properly sanitized before being used to generate a Location HTTP header in a 302…
more
HTTP response. This can be exploited to perform Open Redirect or HTTP Response Splitting attacks, which in turn lead to Reflected Cross-Site Scripting (XSS). Remote command execution can be achieved by leveraging the upgrade feature in the admin interface.
Deeper analysisAI
CVE-2024-52875 affects GFI Kerio Control versions 9.2.5 through 9.4.5. The vulnerability stems from improper sanitization of the "dest" GET parameter passed to the /nonauth/addCertException.cs, /nonauth/guestConfirm.cs, and /nonauth/expiration.cs pages. This parameter is used directly to generate the Location HTTP header in a 302 response, enabling Open Redirect and HTTP Response Splitting attacks that lead to Reflected Cross-Site Scripting (XSS), classified under CWE-113. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H). Remote command execution is also achievable by leveraging the upgrade feature in the admin interface.
The vulnerability can be exploited remotely by unauthenticated attackers (PR:N) with low complexity (AC:L), though it requires user interaction (UI:R), such as a victim clicking a crafted link. Attackers can manipulate the "dest" parameter to redirect users to malicious sites or inject CRLF characters for response splitting, facilitating reflected XSS to steal session cookies or perform further attacks. By chaining this with the admin interface's upgrade functionality, full remote command execution can be attained, granting high confidentiality, integrity, and availability impacts.
Advisories detailing the vulnerability, including potential mitigations and patches, are available from the referenced sources: https://karmainsecurity.com/hacking-kerio-control-via-cve-2024-52875 and http://seclists.org/fulldisclosure/2024/Dec/15.
Details
- CWE(s)