The Kerio Control information appliance, usually known as Kerio Firewalls, can be attacked and the internal controls bypassed, according to SEC Consult. The device is designed by Kerio Technologies to be used as a network firewall, router or VPN gateway inside a network’s topology.

More than 60,000 businesses use Kerio products, according to the vendor’s official website.

A Five-Alarm Infection Campaign

Leveraging the device, an attacker can launch the infection campaign from a remote website. There does not need to be an open external internet port active on the Kerio Control device for the infection to succeed.

Researchers detailed two attack scenarios, SecurityWeek reported, in which an attacker gains control of the security appliance as well as the network it is supposed to protect. Both scenarios involve setting up a reverse shell, which ends up controlling the device.

First, the victim is duped into visiting a website containing malicious content stored as images, forms and JavaScript code. The victim’s browser is then told to send all requests from the internal network directly to the Kerio device. This allows the attacker to establish a foothold before attempting to escalate privileges.

Kerio Firewalls Get Hosed

One of the main problems, according to SEC Consult, is that the Kerio Control software uses a 6-year-old PHP binary that contains multiple memory corruption vulnerabilities. The perpetrators used crafted PHP scripts as an attack vector, the researchers found. The vulnerabilities in question were partly due to unsafe use of the PHP “unserialize” function.

But there’s more: According to Exploit Database, previously revealed exploits in these devices have yet to be fully patched. Other than the one reported in the past, these vulnerabilities can still be exploited by cross-site scripting (XSS) campaigns. When SEC Consult notified Kerio, the manufacturer replied that it did not consider the issue to be a vulnerability. Therefore, it will “not be fixed by Kerio.”

Researchers also found that attackers could easily obtain login credentials by launching brute-force attacks against the device. Additionally, the overall exploit can leverage the XSS vulnerability still present to bypass a same-origin policy and detect valid credentials by checking if an image can be loaded from a library.

Kerio released a new software update to address some of the problems. But with the extent of these issues, it may not be enough.