CVE-2024-52875

CVE-2024-52875 affects GFI Kerio Control versions 9.2.5 through 9.4.5. The vulnerability stems from improper sanitization of the "dest" GET parameter passed to the /nonauth/addCertException.cs, /nonauth/guestConfirm.cs, and /nonauth/expiration.cs pages. This parameter is used directly to generate the Location HTTP header in a 302 response, enabling Open Redirect and HTTP Response Splitting attacks that lead to Reflected Cross-Site Scripting (XSS), classified under CWE-113. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H). Remote command execution is also achievable by leveraging the upgrade feature in the admin interface.

The vulnerability can be exploited remotely by unauthenticated attackers (PR:N) with low complexity (AC:L), though it requires user interaction (UI:R), such as a victim clicking a crafted link. Attackers can manipulate the "dest" parameter to redirect users to malicious sites or inject CRLF characters for response splitting, facilitating reflected XSS to steal session cookies or perform further attacks. By chaining this with the admin interface's upgrade functionality, full remote command execution can be attained, granting high confidentiality, integrity, and availability impacts.

Advisories detailing the vulnerability, including potential mitigations and patches, are available from the referenced sources: https://karmainsecurity.com/hacking-kerio-control-via-cve-2024-52875 and http://seclists.org/fulldisclosure/2024/Dec/15.