ID

VAR-200501-0046

CVE

CVE-2004-1023

TITLE

Kerio Multiple software Weak security mechanism vulnerability

DESCRIPTION

Kerio Winroute Firewall before 6.0.9, ServerFirewall before 1.0.1, and MailServer before 6.0.5, when installed on Windows based systems, do not modify the ACLs for critical files, which allows local users with Power Users privileges to modify programs, install malicious DLLs in the plug-ins folder, and modify XML files related to configuration. Kerio Mailserver is prone to a local security vulnerability. Kerio is a security software company that offers a variety of security software. ______________________________________________________________________ Secure Computer Group - University of A Coruna http://research.tic.udc.es/scg/ -- x -- dotpi.com Information Technologies Research Labs http://www.dotpi.com ______________________________________________________________________ ID: #20041214-2 Document title: Insecure default file system permissions on Microsoft versions of Kerio Software Document revision: 1.0 Coordinated release date: 2004/12/14 Vendor Acknowledge date: 2004/11/10 Reported date: 2004/11/08 CVE Name: CAN-2004-1023 Other references: N/A ______________________________________________________________________ Summary: Impact: Privilege escalation System sofware tampering Trojan injection Second-stage attack vector Alter configuration files Rating/Severity: Low Recommendation: Update to latest version Enforce file system ACLs Vendor: Kerio Technologies Inc. Affected software: Kerio WinRoute Firewall (all versions) Kerio ServerFirewall (all versions) Kerio MailServer (all windows versions) Updates/Patches: Yes (see below) ______________________________________________________________________ General Information: 1. Executive summary: ------------------ As a result of its collaboration relationship the Secure Computer Group (SCG) along with dotpi.com Research Labs have determined the following security issue on some Kerio Software. Kerio WinRoute Firewall, Kerio ServerFirewall and Kerio MailServer are installed by default under 'Program Files' system folder. No change is done to the ACLs after the installation process. System administrators should enforce ACL security settings in order solve this problem. It is also highly recommended to verify this settings as part of the planning, installation, hardening and auditing processes. New versions of the software solve this an other minor problems so it is upgrade its highly recommended. 2. Technical details: ------------------ Following the latest trends and approaches to responsible disclosure, SCG and dotpi.com are going to withhold details of this flaw for three months. Full details will be published on 2005/03/14. This three month window will allow system administrators the time needed to obtain the patch before the details are released to the general public. 3. Risk Assessment factors: ------------------------ The attacker would need local interactive access to the installation directory. Remote access is also possible but default system settings do not make this easy. The most risky scenarios are the ones in which the server machine is shared among two or more users or those situations where Kerio service management have been delegated to a third party any other than local or domain system administrator. Special care should be taken on such environments and every step of the project: design, planning, deployment and management should consider this security issues. Privilege escalation, system and software tampering and the ability to alter service configuration are all real issues and all of them can be used as a second stage attack vector. 4. Solutions and recommendations: ------------------------------ Enforce the file system ACLs and/or upgrade to the latest versions: o Kerio Winroute Firewall 6.0.9 o Kerio ServerFirewall 1.0.1 o Kerio MailServer 6.0.5 As in any other case, follow, as much as possible, the Industry 'Best Practices' on Planning, Deployment and Operation on this kind of services. 5. Common Vulnerabilities and Exposures (CVE) project: --------------------------------------------------- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-1023 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. ______________________________________________________________________ Acknowledgements: 1. Special thanks to Vladimir Toncar and Pavel Dobry and the whole Technical Team from Kerio Technologies (support at kerio.com) for their quick response and professional handling on this issue. 3. The whole Research Lab at dotpi.com and specially to Carlos Veira for his leadership and support. 3. Secure Computer Group at University of A Coruna (scg at udc.es), and specially to Antonino Santos del Riego powering new research paths at University of a Coruna. ______________________________________________________________________ Credits: Javier Munoz (Secure Computer Group) is credited with this discovery. ______________________________________________________________________ Related Links: [1] Kerio Technologies Inc. http://www.kerio.com/ [2] Kerio WinRoute Firewall Downloads & Updates http://www.kerio.com/kwf_download.html [3] Kerio ServerFirewall Downloads & Updates http://www.kerio.com/ksf_download.html [4] Kerio MailServer Downloads & Updates http://www.kerio.com/kms_download.html [5] Secure Computer Group. University of A Coruna http://research.tic.udc.es/scg/ [6] Secure Computer Group. Updated advisory http://research.tic.udc.es/scg/advisories/20041214-2.txt [7] dotpi.com Information Technologies S.L. http://www.dotpi.com/ [8] dotpi.com Research Labs http://www.dotpi.com/research/ ______________________________________________________________________ Legal notice: Copyright (c) 2002-2004 Secure Computer Group. University of A Coruna Copyright (c) 2004 dotpi.com Information Technologies S.L. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of the authors. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please contact the authors for explicit written permission at the following e-mail addresses: (scg at udc.es) and (info at dotpi.com). Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _____________________________________________________________________

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

local

TYPE

unknown

EXTERNAL IDS

REFERENCES

CREDITS

Unknown

SOURCES

LAST UPDATE DATE

2024-08-14T15:25:41.786000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE