CVE-2024-32388 Overview
CVE-2024-32388 is a medium-severity firewall misconfiguration vulnerability affecting Kerlink devices running KerOS prior to version 5.12. The flaw allows attackers to bypass firewall protections by sending specially crafted UDP packets, potentially gaining unauthorized access to UDP-based services that should be protected by the firewall.
This vulnerability is classified under CWE-402 (Transmission of Private Resources into a New Sphere), indicating that protected network resources can be exposed to unauthorized parties through the firewall bypass mechanism.
Critical Impact
Attackers can bypass firewall protections on Kerlink IoT gateway devices to access internal UDP services without authentication, potentially compromising the security of LoRaWAN network infrastructure.
Affected Products
- Kerlink devices running KerOS versions prior to 5.12
- Kerlink LoRaWAN gateways with vulnerable firmware
- IoT infrastructure utilizing affected Kerlink devices
Discovery Timeline
- 2025-12-01 - CVE-2024-32388 published to NVD
- 2025-12-02 - Last updated in NVD database
Technical Details for CVE-2024-32388
Vulnerability Analysis
The vulnerability exists in the firewall configuration of Kerlink devices running KerOS. The firewall fails to properly validate and filter incoming UDP packets, allowing specially crafted packets to bypass security rules that would normally block unauthorized access to internal services.
With a CVSS v3.1 score of 5.3 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, this vulnerability is characterized by:
- Attack Vector: Network - Exploitable remotely without physical access
- Attack Complexity: Low - No special conditions required
- Privileges Required: None - Unauthenticated exploitation possible
- User Interaction: None - No user action needed
- Confidentiality Impact: Low - Limited information disclosure possible
The EPSS (Exploit Prediction Scoring System) data indicates a probability of 0.037% with a percentile ranking of 10.673, suggesting relatively low likelihood of active exploitation in the wild.
Root Cause
The root cause of this vulnerability is improper firewall rule configuration in KerOS that fails to adequately inspect and filter UDP traffic. The firewall does not properly validate UDP packet headers or payload structures, allowing malformed or specially crafted packets to pass through security controls that should block them.
This misconfiguration falls under the category of Insecure Default Configuration, where the default firewall ruleset does not provide sufficient protection against UDP-based attacks.
Attack Vector
An attacker can exploit this vulnerability by crafting malicious UDP packets designed to bypass the firewall filtering mechanisms. The attack follows this sequence:
- Reconnaissance: The attacker identifies a Kerlink device running a vulnerable version of KerOS
- Packet Crafting: Specially structured UDP packets are created to exploit the firewall misconfiguration
- Firewall Bypass: The crafted packets pass through the firewall unfiltered
- Service Access: The attacker gains access to UDP-based services that should be protected
The vulnerability manifests in the firewall packet filtering logic where UDP packets are not properly validated. The malformed packets exploit inconsistencies in how the firewall processes UDP traffic, allowing them to reach internal services. For detailed technical information about the exploitation mechanism, refer to the BDO Security advisory.
Detection Methods for CVE-2024-32388
Indicators of Compromise
- Unexpected UDP traffic reaching internal services that should be firewall-protected
- Anomalous UDP packet patterns with unusual header configurations
- Unauthorized connections to UDP services from external IP addresses
- Increased UDP traffic volume to Kerlink gateway devices
- Log entries indicating access to restricted UDP services from untrusted sources
Detection Strategies
Organizations can detect potential exploitation attempts by implementing the following strategies:
- Network Traffic Analysis: Monitor for unusual UDP traffic patterns targeting Kerlink devices, particularly packets with malformed headers or unexpected source addresses
- Firewall Log Review: Analyze firewall logs for UDP packets that bypass expected filtering rules
- Service Access Monitoring: Track access attempts to UDP-based services on Kerlink devices from external networks
- Anomaly Detection: Deploy network anomaly detection to identify deviations from normal UDP traffic baselines
Monitoring Recommendations
Deploy network monitoring solutions that can inspect UDP traffic to and from Kerlink devices. Configure alerts for:
- UDP connections to services that should be blocked by firewall rules
- High volumes of UDP traffic from single sources
- UDP packets with unusual characteristics or malformed headers
- Access attempts to management interfaces from untrusted networks
SentinelOne Singularity provides comprehensive network visibility and can detect anomalous traffic patterns associated with firewall bypass attempts, enabling security teams to identify and respond to potential exploitation of this vulnerability.
How to Mitigate CVE-2024-32388
Immediate Actions Required
- Upgrade all Kerlink devices to KerOS version 5.12 or later immediately
- Implement network segmentation to isolate Kerlink devices from untrusted networks
- Deploy additional firewall rules at the network perimeter to filter UDP traffic to Kerlink devices
- Review and audit UDP service configurations on affected devices
- Monitor network traffic for signs of exploitation attempts
Patch Information
Kerlink has addressed this vulnerability in KerOS version 5.12. Organizations should update their devices through the official Kerlink firmware update process. Detailed patch information and security advisories are available at:
Workarounds
If immediate patching is not possible, organizations can implement the following temporary mitigations:
- Network Isolation: Place Kerlink devices behind additional firewall layers that provide more robust UDP filtering
- Access Control Lists: Implement strict ACLs to limit which source IP addresses can send UDP traffic to affected devices
- VPN Tunneling: Route all traffic to Kerlink devices through VPN connections to add an additional layer of authentication
- Service Hardening: Disable unnecessary UDP services on affected devices to reduce the attack surface
# Example: Implement additional iptables rules on network gateway to protect Kerlink devices
# Replace KERLINK_DEVICE_IP with actual device IP address
# Allow UDP only from trusted management network
iptables -A FORWARD -p udp -d KERLINK_DEVICE_IP -s TRUSTED_MGMT_NETWORK/24 -j ACCEPT
iptables -A FORWARD -p udp -d KERLINK_DEVICE_IP -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
