Vulnerable GFI KerioControl firewalls impacted by the critical carriage return line feed injection issue, tracked as CVE-2024-52857, have been subjected to attacks since Dec. 28, The Hacker News reports.
Intrusions involving the now-patched flaw, which could be leveraged to facilitate remote code execution, have stemmed from seven Singapore- and Hong Kong-based IP addresses, according to an analysis from GreyNoise. HTTP response headers could also be compromised with malicious inputs through the carriage return and line feed characters, noted security researcher Egidio Romano, who identified and reported the bug. "...[T]he application does not correctly filter/remove line feed (LF) characters. This can be exploited to perform HTTP Response Splitting attacks, which, in turn, might allow it to carry out reflected cross-site scripting (XSS) and possibly other attacks," Romano added. Immediate patching of GFI KerioControl firewalls — nearly 24,000 of which were discovered by Censys to be online — has been urged to avert compromise.
