Steps to eliminate vulnerabilities in the Kaspersky IoT Secure Gateway Network Protector application

When using the Kaspersky IoT Secure Gateway Network Protector application, it may be exposed to vulnerabilities BDU:2025-00136 (CVE-2024-55628) and BDU:2025-00137 (CVE-2024-55629). To promptly eliminate these vulnerabilities in the Kaspersky IoT Secure Gateway Network Protector application, you need to perform the steps described in the section below.

Fixing vulnerability BDU:2025-00136 (CVE-2024-55628) in Kaspersky IoT Secure Gateway Network Protector

To eliminate the risks associated with the BDU:2025-00136 (CVE-2024-55628) vulnerability, you must disable the processing of DNS packets by the Kaspersky IoT Secure Gateway Network Protector application.

To disable DNS packet processing in the Kaspersky IoT Secure Gateway Network Protector application, apply the bug fix patch. This patch disables the processing of certain unsupported specific types of network packets sent via the SIP, SMB, SMTP, DNS, HTTP, or HTTP2 protocols.

Fixing vulnerability BDU:2025-00137 (CVE-2024-55629) in Kaspersky IoT Secure Gateway Network Protector

To eliminate the risks associated with the BDU:2025-00137 (CVE-2024-55629) vulnerability, you need to add a predefined rule to the Kaspersky IoT Secure Gateway Network Protector application to detect TCP packets marked with the Urgent flag, to subsequently block traffic originating from the source of these packets.

To add a predefined rule to the Kaspersky IoT Secure Gateway Network Protector application to detect TCP packets with the Urgent flag:

1. Prepare a USB drive containing any Linux Live CD distribution that supports SSHD.

   You are advised to download the SystemRescueCd distribution image from the official SystemRescue website and create a bootable USB drive using a utility such as dd, for example:

   $ dd if=systemrescuecd-<version number>.iso of=/dev/<USB drive name>

2. Turn off the Kraftway Rubezh-N device.
3. Connect a USB drive containing any Linux Live CD distribution that supports SSHD to the device.
4. Turn on the device and press the DELETE key during startup to enter the BIOS.
5. Choose to boot the Live CD image from the USB drive.
6. Create a file named "patch.sh" in any directory.
7. Open "patch.sh" in a text editor and copy the lines from the drop-down block below.

   Contents of the "patch.sh" file.

   #!/bin/bash

   mkdir packageManager

   mount /dev/sda21 packageManager

   mkdir container

   mount packageManager/apps/kaspersky.kisg.netprotector/res/net_protector_container.img container

   RULE_FILE_NAME="tcp_urgent.rules"

   RULE_FILE_CONTEXT='alert tcp any any -> any any (msg:"TCP packet with urgent flag"; flags:U*; threshold:type threshold, track by_src, count 1, seconds 1200; classtype:misc-activity; sid:90001001; priority:2; rev:1;)'

   echo ${RULE_FILE_CONTEXT} > container/idsit/rules/${RULE_FILE_NAME}

   AMR_FILE="container/idsit/amr.yaml"

   if ! grep -q ${RULE_FILE_NAME} ${AMR_FILE}; then

   if [ "$(tail -c 1 ${AMR_FILE})" != $'\n' ]; then

   echo >> ${AMR_FILE}

   fi

   echo " - ${RULE_FILE_NAME}" >> ${AMR_FILE}

   fi

   umount container

   umount packageManager

   rmdir container

   rmdir packageManager

8. Save the "patch.sh" file and grant it the Execute permission.
9. Run the "patch.sh" script:

   ./patch.sh

10. After the script is finished, restart the device with the Kaspersky IoT Secure Gateway 1000 system boot (by default or via BIOS) and check the operation of the system.
11. Run Kaspersky IoT Secure Gateway Network Protector if it wasn't run automatically.
12. Test the rule by running one of the following commands on a host in the internal network segment:
    • For the Unidirectional Gateway device type:

      hping3 -c 1 -p 8080 -U -S 192.168.1.1

    • For the Network router device type:

      hping3 -c 1 -p 8080 -U -S <IP address of Kaspersky IoT Secure Gateway 1000 in the external network>

    If the rule is configured correctly, after the execution of this command the rule will be triggered and a corresponding entry will appear in the firewall events.

After applying this patch, the Kaspersky IoT Secure Gateway Network Protector application can also block traffic from hosts you need if they match the rule. To unblock such hosts, you need to add their IP addresses to the allowlist.