Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Server)  >   Kerio MailServer Vendors:   Kerio Technologies
Kerio MailServer Discloses Passwords to Local Users
SecurityTracker Alert ID:  1012521
SecurityTracker URL:
CVE Reference:   CVE-2004-1022   (Links to External Site)
Updated:  Dec 15 2004
Original Entry Date:  Dec 15 2004
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 6.0.5
Description:   A vulnerability was reported in the Kerio MailServer. A local user may be able to obtain user passwords.

The Secure Computer Group at the University of a Coruna and the Information Technologies Research Labs reported that the product uses a symmetric algorithm for encrypting user passwords on the system. A local user with access to the configuration files can use the universal secret key contained within the application to decrypt the user passwords.

Additional details will be disclosed in March 2005.

Javier Munoz of Secure Computer Group is credited with discovering this flaw.

The vendor was notified on October 1, 2004.

Impact:   A local user can decrypt user passwords.
Solution:   The vendor has issued a fixed version (6.0.5) of the Kerio MailServer, available at:

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Red Hat Enterprise), Linux (Red Hat Fedora), Linux (Red Hat Linux), Linux (SuSE), UNIX (macOS/OS X), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.

 Source Message Contents

Subject:  [CVE-2004-1022] Insecure Credential Storage on Kerio Software


            Secure Computer Group - University of A Coruna

                               -- x --

  Information Technologies Research Labs


ID:                        #20041214-1
Document title:            Insecure Credential Storage on Kerio
Document revision:         1.0

Coordinated release date:  2004/12/14
Vendor Acknowledge date:   2004/10/06
Reported date:             2004/10/01

CVE Name:                  CAN-2004-1022

Other references:          N/A


   Impact:                  Insecure Credential Storage
   Rating/Severity:         Medium
   Recommendation:          Update to latest version

   Vendor:                  Kerio Technologies Inc.

   Affected software:       Kerio WinRoute Firewall (all versions)
                            Kerio ServerFirewall (all versions)
                            Kerio MailServer (all versions)

   Updates/Patches:         Yes (see below)

General Information:

   1. Executive summary:

      As a result of its collaboration relationship the Secure Computer
      Group (SCG) along with Research Labs have determined
      this security issue on Kerio WinRoute Firewall (KWF), Kerio
      ServerFirewall (KSF) and Kerio MailServer (KMS).

      KWF, KSF and KMS user credential database system uses symmetric
      encryption to protect passwords stored on it.

      Anyone with a cyphertext of this database (that is, with access to
      the configuration files) could reverse the encryption using a
      universal secret key hidden into the program logic.

      New versions of the software solve this and other minor problems
      so it is upgrade its highly recommended.

   2. Technical details:

      Following the latest trends and approaches to responsible
      disclosure, SCG and are going to withhold details of
      this flaw for three months.

      Full details will be published on 2005/03/14. This three month
      window will allow system administrators the time needed to
      obtain the patch before the details are released to the general

   3. Risk Assessment factors:

      The attacker needs access to the user database, which is not
      normally a usual condition on a properly hardened firewall and/or
      mail server.

      Despite this, special care should be taken on shared environments
      where more than one technical staff work together on the firewall
      and/or the mail server. This kind of scenarios offer a potential
      opportunity for the insiders on the work of stealing identities
      and, therefore, breaking access control measures.

      It is also important to note that this could be an important
      second-stage resource for a successful attacker on an already
      compromised firewall and/or mail server.

   4. Solutions and recommendations:

     Upgrade to the latest versions:

      	o Kerio Winroute Firewall 6.0.9

      	o Kerio ServerFirewall 1.0.1

      	o Kerio MailServer 6.0.5

      As in any other case, follow, as much as possible, the Industry
      'Best Practices' on Planning, Deployment and Operation on this
      kind of services.


      Kerio Winroute Firewall 6.0.7 fixed CAN-2004-1022. Kerio Winroute
      Firewall 6.0.9 is the current version fixing CAN-2004-1022 and

   5. Common Vulnerabilities and Exposures (CVE) project:

      The Common Vulnerabilities and Exposures (CVE) project has
      assigned the name CAN-2004-1022 to this issue. This is a
      candidate for inclusion in the CVE list (,
      which standardizes names for security problems.



   1. Special thanks to Vladimir Toncar and Pavel Dobry and the whole
      Technical Team from Kerio Technologies (support at
      for their quick response and professional handling on this issue.

   3. The whole Research Lab at and specially to Carlos Veira
      for his leadership and support.

   3. Secure Computer Group at University of A Coruna (scg at,
      and specially to Antonino Santos del Riego powering new research
      paths at University of a Coruna.



   Javier Munoz (Secure Computer Group) is credited with this discovery.


Related Links:

   [1] Kerio Technologies Inc.

   [2] Kerio WinRoute Firewall Downloads & Updates

   [3] Kerio ServerFirewall Downloads & Updates

   [4] Kerio MailServer Downloads & Updates

   [5] Secure Computer Group. University of A Coruna

   [6] Secure Computer Group. Updated advisory

   [7] Information Technologies S.L.

   [8] Research Labs


Legal notice:

   Copyright (c) 2002-2004 Secure Computer Group. University of A Coruna
   Copyright (c) 2004 Information Technologies S.L.

   Permission is granted for the redistribution of this alert
   electronically. It may not be edited in any way without the express
   written consent of the authors.

   If you wish to reprint the whole or any part of this alert in any
   other medium other than electronically, please contact the authors
   for explicit written permission at the following e-mail addresses:
   (scg at and (info at

   Disclaimer: The information in the advisory is believed to be
   accurate at the time of publishing based on currently available
   information. Use of the information constitutes acceptance for use
   in an AS IS condition.

   There are no warranties with regard to this information. Neither the
   author nor the publisher accepts any liability for any direct,
   indirect, or consequential loss or damage arising from use of, or
   reliance on, this information.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC