A missing authentication vulnerability in the GFIAgent component of GFI Kerio Control 9.4.5 allows unauthenticated remote attackers to perform privileged operations. The GFIAgent service, responsible for integration with GFI AppManager, exposes HTTP services on ports 7995 and 7996 without proper authentication. The /proxy handler on port 7996 allows arbitrary forwarding to administrative endpoints when provided with an Appliance UUID, which itself can be retrieved from port 7995. This results in a complete authentication bypass, permitting access to sensitive administrative APIs.
The GFIAgent service, responsible for integration with GFI AppManager, exposes HTTP interfaces on ports 7995 and 7996 without any authentication. Port 7995 reveals the device identifier (Appliance UUID), which can then be passed to the /proxy handler on port 7996. The /proxy handler allows arbitrary request redirection to internal, administrative endpoints, thereby completely bypassing access control mechanisms. As a result, the attacker gains full access to sensitive administrative APIs of the system.
An attacker without any privileges can remotely execute privileged administrative operations on the device, which combined with the ability to access internal APIs can lead to complete system takeover, including potentially RCE.
Apply patches available from the vendor according to the references. Additionally, it is recommended to restrict network access to ports 7995 and 7996 exclusively to trusted hosts using firewall rules, until the official patch is deployed.
GFI Kerio Control version 9.4.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XGfi Kerio Control
APPGfi9.4.5
Related vulnerabilities
Authentication Bypass w GFI Kerio Control — pełny dostęp admina bez uwierzytelnienia
RCE w GFI Kerio Control poprzez mechanizm aktualizacji firmware
An issue was discovered in GFI Kerio Control 9.2.5 through 9.4.5. The dest GET parameter passed to the /nonaut...
A DOM based XSS in GFI Kerio Control v9.3.0 allows embedding of malicious code and manipulating the login page...
GFI Archiver MArc.Core — pominięcie autoryzacji (Authentication Bypass)