GFI Kerio Control Missing Authentication Vulnerability in GFIAgent Component Allowing Privileged Operations

A missing authentication vulnerability has been identified in the GFIAgent component of GFI Kerio Control version 9.4.5. This vulnerability allows unauthenticated remote attackers to perform privileged operations by exploiting HTTP services exposed on ports 7995 and 7996. The GFIAgent service, which integrates with GFI AppManager, lacks proper authentication, enabling access to sensitive administrative APIs. The vulnerability arises from the GFIAgent service's exposure of internal administrative endpoints without authentication, allowing unauthorized access to critical functions.

Impact

Exploitation of this vulnerability leads to an authentication bypass, allowing unauthorized access to administrative APIs and functions on the affected Kerio Control appliance.

Reproduction

The vulnerability can be reproduced by accessing the GFIAgent service on port 7995 to retrieve the Appliance UUID, which is then used to access the '/proxy' handler on port 7996. This handler forwards requests to administrative endpoints, bypassing authentication controls. The exploitation can be facilitated through the default-enabled 'non-transparent proxy' service on port 3128, which allows forwarding requests to internal services, including GFIAgent, effectively bypassing firewall rules and authentication requirements.