lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJeQoQevFN6rDz9nfYA-YtL6+yGi6Ynq9DA8X-fepg+tEsBAWA@mail.gmail.com> Date: Mon, 16 Dec 2024 19:27:17 +0100 From: Egidio Romano <n0b0d13s@...il.com> To: fulldisclosure@...lists.org Cc: submissions@...ketstormsecurity.com, submit@...sec.com Subject: [FD] [KIS-2024-07] GFI Kerio Control <= 9.4.5 Multiple HTTP Response Splitting Vulnerabilities --------------------------------------------------------------------------- GFI Kerio Control <= 9.4.5 Multiple HTTP Response Splitting Vulnerabilities --------------------------------------------------------------------------- [-] Software Links: https://gfi.ai/products-and-solutions/network-security-solutions/keriocontrol http://download.kerio.com [-] Affected Versions: All versions from 9.2.5 to 9.4.5. [-] Vulnerabilities Description: There are multiple HTTP Response Splitting vulnerabilities in GFI Kerio Control. Following are some of the affected pages: - /nonauth/addCertException.cs - /nonauth/guestConfirm.cs - /nonauth/expiration.cs User input passed to these pages via the "dest" GET parameter is not properly sanitized before being used to generate a "Location" HTTP header in a 302 HTTP response. Specifically, the application does not correctly filter/remove linefeed (LF) characters. This can be exploited to perform HTTP Response Splitting attacks, which in turn might allow to carry out Reflected Cross-Site Scripting (XSS) and possibly other attacks. NOTE: the Reflected XSS vector might be abused to perform 1-click Remote Code Execution (RCE) attacks. [-] Proof of Concept: https://karmainsecurity.com/pocs/CVE-2024-52875.php [-] Solution: No official solution is currently available. [-] Disclosure Timeline: [06/11/2024] - Vulnerabilities details sent to the vendor [07/11/2024] - Vendor response stating "we’ll take steps to resolve these vulnerabilities in coming releases of Kerio Control" [07/11/2024] - CVE identifier requested [17/11/2024] - CVE identifier assigned [17/11/2024] - Vendor was contacted inquiring about the ETA for the next Kerio Control release; no response [28/11/2024] - Vendor was contacted again and provided with a 1-click RCE Proof of Concept script, emphasizing these should be considered high-risk vulnerabilities that should be addressed as soon as possible [28/11/2024] - Vendor response stating "thank you very much for this information, I will immediately consult with rest of the team" [03/12/2024] - Vendor email stating "would you mind to share with us any script you used while exploiting the vulnerabilities?" [03/12/2024] - Proof of Concept script and replication steps sent to the vendor, along with a follow-up inquiry about the ETA for a patched Kerio Control version; no response [06/12/2024] - Vendor was informed that public disclosure is scheduled to occur within two weeks [11/12/2024] - Vendor response stating "these vulnerabilities were already fixed and will be part of Kerio Control 9.4.5p1 which is now with our internal QA team" [16/12/2024] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2024-52875 to these vulnerabilities. [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2024-07 [-] Technical Writeup: https://karmainsecurity.com/hacking-kerio-control-via-cve-2024-52875 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists