SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   Kerio Personal Firewall Vendors:   Kerio Technologies
Kerio Personal Firewall Allows Remote Users to Cause a Protected Host to Crash
SecurityTracker Alert ID:  1005140
SecurityTracker URL:  http://securitytracker.com/id/1005140
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 27 2002
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 2.x.x
Description:   A denial of service vulnerability was reported in the Kerio Personal Firewall software for Microsoft Windows operating systems. A remote user can cause a host protected by the firewall software to crash.

NSSI-Research Labs warned that a remote user could cause the protected host's CPU utilization to reach 100%, even if the host's TCP/IP stack has been hardened.

It is reported that the firewall is vulnerable to SYN flood attacks. A remote user can send 300 or more TCP SYN packets to cause the target host to stop responding and the host to eventually crash.

If the firewall is set to block all services and protocols, a remote user can send 500 or more TCP SYN packets to cause the target host to stop responding and CPU utilization to reach 100%.

Impact:   A remote user can cause CPU utilization to reach 100% or the protected target host to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.kerio.com/us/kpf_home.html (Links to External Site)
Cause:   Exception handling error, Resource error
Underlying OS:  Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Denies Vulnerability) Re: Kerio Personal Firewall Allows Remote Users to Cause a Protected Host to Crash
The vendor denies that the product is vulnerable.
(Vulnerability is Reasserted and Details Are Provided) Re: Kerio Personal Firewall Allows Remote Users to Cause a Protected Host to Crash
The researcher has reasserted the original claim that the product is indeed vulnerable and has provided details on how to reproduce the vulnerability.



 Source Message Contents

Subject:  Kerio Personal Firewall DOS Vulnerability


NSSI-Research Labs Security Advisory

http://www.nssolution.com (Philippines/.ph)

"Maximum e-security"

http://nssilabs.nssolution.com

Kerio Personal Firewall 2.x.x Denial of Service Vulnerability

Author: Abraham Lincoln Hao / SunNinja

e-Mail: abraham@nssolution.com / SunNinja@Scientist.com

Advisory Code: NSSI-2002-keriopfw

Tested: Under Win2k Advance Server with SP3 / WinNT 4.0 with SP6a

Vendor Status:  Vendor inform us to release new version and hopefully it would patch the vulnerability.

Vendors website: http://www.kerio.com
Severity: High

Overview:

     Kerio Personal Firewall (KPF) is a software agent that builds a barrier between your personal computer and the Internet. KPF
 is designed to protect your PC against attacks from both the Internet, and other computers in the local network.
    Kerio Personal Firewall 2.x.x for windows platform contains  Denial of Service vulnerability.  These vulnerability could allow
 an attacker to hang-up the host and CPU utilization will hit up to 100%.  Even if your hosts tcp/ip stack is hardened. .

Details:

Test bed:
   [*Nix b0x with Synflooder] <===[10/100mbps switch===> [Host with KPF] 

 1] DoS vulnerability with Kerio Personal Firewall 2.x.x Default Installation
    - KPF is vulnerable with Synflood attack by sending minimum of 300 syn packets the target host will stop from responding, 100%
 of  the CPU utilization will be consumed and eventually hangs-up the machine.

2] Setting the Personal firewall to High Security  and Block all services and Protocols. 
    - It is quite similar to the first one but the personal firewall is configured to block all services and protocols.  After sending
 a minimum of 500 syn packets from port 1-1024. The host will stop from responding, 100% of the CPU utilization will be consumed.
 

Workaround:
1] Disable the Personal Firewall or Stop the KPF service.  Wiindows  with latest security patch or hotfix alone can handle 300-500
 syn packets from a single host.   

Any Questions? Suggestions? or Comments? let us know. (feel free)
e-mail: nssilabs@nssolution.com / abraham@nssolution.com / infosec@nssolution.com

greetings:
   Lawless the saint ;), dig0, b45h3r, jethro, nssilabs team ;), mr. d.f.a and to our webmaster raymund (R2/D2)


-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC