CVE-2024-32384 Overview
CVE-2024-32384 is a medium-severity vulnerability affecting Kerlink gateways running KerOS prior to version 5.10. The vulnerability stems from the web interface being exposed exclusively over HTTP without HTTPS support, creating a significant transport layer security gap. This insecure communication channel allows man-in-the-middle (MITM) attackers to intercept and modify traffic between clients and the affected IoT gateway devices.
The vulnerability is classified under CWE-319 (Cleartext Transmission of Sensitive Information), which represents a fundamental failure to protect data in transit. In IoT gateway environments, this poses substantial risks as administrative credentials, configuration data, and potentially sensitive network information could be exposed to attackers positioned on the network path.
Critical Impact
Attackers can intercept administrative credentials and device configurations, potentially gaining full control over IoT gateway infrastructure through man-in-the-middle attacks.
Affected Products
- Kerlink gateways running KerOS versions prior to 5.10
- Kerlink IoT gateway devices with HTTP-only web interfaces
- Network infrastructure utilizing vulnerable KerOS firmware
Discovery Timeline
- 2025-12-01 - CVE CVE-2024-32384 published to NVD
- 2025-12-02 - Last updated in NVD database
Technical Details for CVE-2024-32384
Vulnerability Analysis
This vulnerability carries a CVSS v3.1 score of 6.8 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N. The scoring reflects:
- Attack Vector (AV:N): Network-based exploitation requiring the attacker to be positioned to intercept traffic
- Attack Complexity (AC:H): High complexity due to the need for man-in-the-middle positioning
- Privileges Required (PR:N): No authentication needed to perform the attack
- User Interaction (UI:R): Requires a legitimate user to access the web interface
- Confidentiality Impact (C:H): High - sensitive data including credentials can be captured
- Integrity Impact (I:H): High - traffic can be modified to inject malicious content
The EPSS (Exploit Prediction Scoring System) probability is 0.012% with a percentile of 1.29, indicating a relatively low likelihood of exploitation in the wild, though the impact remains significant for affected deployments.
Root Cause
The root cause of CVE-2024-32384 lies in the architectural decision to implement the device's web management interface using only unencrypted HTTP protocol. KerOS versions prior to 5.10 lack TLS/SSL certificate handling and HTTPS endpoint configuration, meaning all web traffic—including authentication requests, session tokens, and configuration changes—is transmitted in cleartext.
This design flaw is particularly concerning in IoT gateway deployments where:
- Devices often operate on shared network segments
- Administrative access may occur over untrusted networks
- Gateway devices handle sensitive LoRaWAN or other IoT protocol configurations
Attack Vector
The attack exploits the cleartext transmission of sensitive data over HTTP. An attacker positioned on the same network segment or along the routing path between an administrator and the Kerlink gateway can:
- Passive Interception: Capture all HTTP traffic to extract usernames, passwords, session cookies, and device configurations
- Active Modification: Inject malicious JavaScript, alter configuration parameters, or redirect authentication flows
- Session Hijacking: Steal session tokens to impersonate legitimate administrators
- Credential Theft: Harvest login credentials transmitted in plaintext for future unauthorized access
The attack typically requires the adversary to perform ARP spoofing, DNS poisoning, or other network-level positioning techniques to intercept traffic destined for the gateway's web interface.
Detection Methods for CVE-2024-32384
Indicators of Compromise
- Unexpected ARP table changes or ARP spoofing activity on network segments containing Kerlink gateways
- Unencrypted HTTP traffic on port 80 to gateway management interfaces from unexpected sources
- Multiple failed login attempts followed by successful authentication from different source IPs
- Configuration changes to gateway devices that were not authorized or logged by administrators
Detection Strategies
Network monitoring should focus on identifying potential MITM positioning attempts and suspicious traffic patterns. Security teams should implement the following detection approaches:
Network Traffic Analysis: Monitor for HTTP traffic to Kerlink gateway management interfaces. Any administrative traffic over port 80 should be flagged for review, especially from external or untrusted network segments.
ARP Monitoring: Deploy ARP watch mechanisms to detect spoofing attempts that could indicate an attacker positioning for traffic interception.
Session Anomaly Detection: Track administrative sessions for geographic or IP address inconsistencies that might indicate session token theft.
Firmware Version Auditing: Regularly audit KerOS versions across the gateway fleet to identify devices running vulnerable firmware below 5.10.
Monitoring Recommendations
Organizations should implement continuous monitoring for:
- HTTP traffic to IoT gateway management ports from non-administrative network segments
- Certificate errors or TLS warnings when accessing gateway interfaces after upgrade
- Unusual network topology changes in gateway-adjacent network segments
- Authentication events from unexpected source addresses or at unusual times
How to Mitigate CVE-2024-32384
Immediate Actions Required
- Upgrade all Kerlink gateways to KerOS version 5.10 or later, which includes HTTPS support
- Isolate gateway management interfaces on dedicated, trusted network segments until patching is complete
- Implement network-level encryption (VPN or IPsec) for any administrative access to vulnerable devices
- Review access logs for signs of credential compromise or unauthorized configuration changes
Patch Information
Kerlink has addressed this vulnerability in KerOS version 5.10 and later by implementing HTTPS support for the web management interface. Organizations should consult the official Kerlink security advisory for detailed upgrade instructions:
Firmware updates should be tested in a staging environment before deployment to production gateways to ensure compatibility with existing configurations.
Workarounds
For environments where immediate firmware upgrade is not feasible, the following workarounds can reduce exposure:
Network Segmentation: Restrict access to gateway management interfaces to dedicated management VLANs with strict access controls. This limits the attack surface by reducing the number of network paths where interception could occur.
VPN Tunneling: Require all administrative access to traverse an encrypted VPN tunnel, ensuring that even HTTP traffic is protected at the network layer.
Access Control Lists: Implement firewall rules that restrict management interface access to specific administrator IP addresses or subnets.
Physical Security: For critical deployments, consider physical network isolation of management interfaces to eliminate remote MITM opportunities.
# Example: Network segmentation using iptables on a management host
# Restrict HTTP access to gateway management interface
iptables -A OUTPUT -p tcp --dport 80 -d <gateway_ip> -j DROP
# Force access through VPN tunnel interface only
iptables -A OUTPUT -o tun0 -p tcp --dport 80 -d <gateway_ip> -j ACCEPT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
