Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:8505
HistoryApr 30, 2005 - 12:00 a.m.

[CAN-2005-1062] Administration protocol abuse allows local/remote password cracking

2005-04-3000:00:00
vulners.com
11

0.01 Low

EPSS

Percentile

83.7%

JSON
        Secure Computer Group - University of A Coruna
                http://research.tic.udc.es/scg/

                           -- x --

       dotpi.com Information Technologies Research Labs
                     http://www.dotpi.com

ID: #20050429-1
Document title: Administration protocol abuse allows
local/remote password cracking
Document revision: 1.0

Coordinated release date: 2005/04/29
Vendor Acknowledge date: 2005/02/25
Reported date: 2005/02/21

CVE Name: CAN-2005-1062

Other references: N/A

Summary:

Impact: Local/remote password cracking

Rating/Severity: Medium
Recommendation: Update to latest version
Enforce network ACLs
Enforce password policies

Vendor: Kerio Technologies Inc.

Affected software:

          o Kerio WinRoute Firewall up to and including 6.0.10

          o Kerio Personal Firewall up to and including 4.1.2

          o Kerio MailServer up to and including 6.0.8

Updates/Patches: Yes (see below)

General Information:

  1. Executive summary:

    Kerio WinRoute Firewall, Kerio Personal Firewall and Kerio
    MailServer drive a local/remote administration protocol in order
    to manage the service.

    This protocol can be abused in order to remotely retrieve user
    credentials through a brute forcing technique. Passwords 1-5
    characters long could be obtained quickly. As such, Kerio considers
    them insecure and recommends enforcing password policies. The
    attack is not practically usable for passwords longer than 5
    characters. User logins must be previously known for this attack to
    be successful.

    The logging component of the software can loose up to 40% of the
    events when the attack is in place.

    In order solve this problem, system administrators should enforce
    network ACL security settings and user password policies. It is
    also highly recommended to verify this settings as part of the
    planning, installation, hardening and auditing processes.

    New versions of the software solve this and other minor problems
    so an upgrade is highly recommended.

  2. Technical details:

    Technical details and proof of concept code were provided to
    vendor.

  3. Risk Assessment factors:

    The attacker should have access to the administration ports:

    o TCP/UDP 44333 - Kerio WinRoute Firewall Administration

    o TCP/UDP 44334 - Kerio Personal Firewall Administration

    o TCP/UDP 44337 - Kerio MailServer Administration

    Network effective bandwidth between the system and the attacker is
    also an important speed and success factor.

    User logins must be previously known or previously brute forced
    for this attack to be successful.

    Special attention should be taken on environments on which NT,
    Active Directory or Open Directory integration is in place.
    GINA.DLL re-login delay features are bypassed and therefore the
    brute forcing procedure is considerably quicker.

    Local/Domain User Lock-out policies can help on contenting this
    attack. Despite that, an user login denial of service can emerge
    as a side effect.

    The most risky scenarios are the ones in which the server machine
    is shared among two or more interactive users/administrators or
    those situations where Kerio service management have been
    delegated to a third party.

    The weakeness on the logging facility can be a target on its own
    in order to hide any other attack that is being performed
    simultaneously.

    Special care should be taken on such environments and every step
    of the project: design, planning, deployment and management
    should consider this security issues.

    Privilege escalation, system and software tampering and the
    ability to alter service configuration are all real issues and
    all of them can be used as a second stage attack vector.

  4. Solutions and recommendations:

    Upgrade to the latest versions:

    o Kerio Winroute Firewall 6.0.11 and above

    o Kerio Personal Firewall 4.1.3 and above

    o Kerio MailServer 6.0.9 and above

    As in any other case, follow, as much as possible, the Industry
    'Best Practices' on Planning, Deployment and Operation on this
    kind of services.

  5. Common Vulnerabilities and Exposures (CVE) project:

    The Common Vulnerabilities and Exposures (CVE) project has
    assigned the name CAN-2005-1062 to this issue. This is a
    candidate for inclusion in the CVE list (http://cve.mitre.org),
    which standardizes names for security problems.

Acknowledgements:

  1. Special thanks to Vladimir Toncar and the whole Technical Team from
    Kerio Technologies (support at kerio.com) for their quick response
    and professional handling on this issue.

  2. The whole Research Lab at dotpi.com and specially to Carlos Veira.

  3. Secure Computer Group at University of A Coruna (scg at udc.es),
    and specially to Antonino Santos del Riego.

Credits:

Javier Munoz (Secure Computer Group) is credited with this discovery.

Related Links:

[1] Kerio Technologies Inc.
http://www.kerio.com/

[2] Kerio WinRoute Firewall Downloads & Updates
http://www.kerio.com/kwf_download.html

[3] Kerio Personal Firewall Downloads & Updates
http://www.kerio.com/kpf_download.html

[4] Kerio MailServer Downloads & Updates
http://www.kerio.com/kms_download.html

[5] Secure Computer Group. University of A Coruna
http://research.tic.udc.es/scg/

[6] Secure Computer Group. Updated advisory
http://research.tic.udc.es/scg/advisories/20050429-1.txt

[7] dotpi.com Information Technologies S.L.
http://www.dotpi.com/

[8] dotpi.com Research Labs
http://www.dotpi.com/research/

Legal notice:

Copyright (c) 2002-2005 Secure Computer Group. University of A Coruna
Copyright (c) 2004-2005 dotpi.com Information Technologies S.L.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of the authors.

If you wish to reprint the whole or any part of this alert in any
other medium other than electronically, please contact the authors
for explicit written permission at the following e-mail addresses:
(scg at udc.es) and (info at dotpi.com).

Disclaimer: The information in the advisory is believed to be
accurate at the time of publishing based on currently available
information. Use of the information constitutes acceptance for use
in an AS IS condition.

There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

Related

cvelist 1
cve 1
nvd 1
openvas 1
cvelist
cvelist
CVE-2005-1062
2005-04-29 04:00:00
cve
cve
CVE-2005-1062
2005-05-02 04:00:00
nvd
nvd
CVE-2005-1062
2005-05-02 04:00:00
openvas
openvas
Kerio Mailserver Admin Service
2005-11-03 00:00:00

0.01 Low

EPSS

Percentile

83.7%

JSON
Related for SECURITYVULNS:DOC:8505
cvelist1cve1nvd1openvas1