SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   KerioControl (WinRoute Firewall) Vendors:   Kerio Technologies
Kerio WinRoute Firewall Permits Remote Brute Force Password Determination
SecurityTracker Alert ID:  1013846
SecurityTracker URL:  http://securitytracker.com/id/1013846
CVE Reference:   CVE-2005-1062   (Links to External Site)
Date:  Apr 30 2005
Impact:   Disclosure of authentication information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.0.10 and prior versions
Description:   A vulnerability was reported in Kerio WinRoute Firewall. A remote user can conduct brute force attacks to determine user passwords in certain cases.

A remote user with knowledge of at least one user password can connect to the administration port (44333) and conduct brute force attacks to determine a target user's password.

Passwords that are 5 characters or shorter can be determined quickly. The report indicates that the attack is not feasible for obtaining longer passwords.

The logging component may fail to log 40% of the events when an attack is being performed.

Systems using NT, Active Directory, or Open Directory authentication integration are at greater risk, because GINA.DLL re-login delay features are bypassed. As a result, the brute force guessing attack can occur more rapidly.

Secure Computer Group and dotpi.com Information Technologies Research Labs reported this vulnerability. Javier Munoz (Secure Computer Group) discovered this vulnerability.

Impact:   A remote user with knowledge of at least one user password can determine other user passwords that are five characters or less.
Solution:   The vendor has issued a fixed version (6.0.11), available at:

http://www.kerio.com/kwf_download.html

Vendor URL:  www.kerio.com/ (Links to External Site)
Cause:   State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [CVE-2005-1062] Administration protocol abuse allows local/remote


______________________________________________________________________


            Secure Computer Group - University of A Coruna
                    http://research.tic.udc.es/scg/

                               -- x --

           dotpi.com Information Technologies Research Labs
                         http://www.dotpi.com

______________________________________________________________________

ID:                        #20050429-1
Document title:            Administration protocol abuse allows
                            local/remote password cracking
Document revision:         1.0

Coordinated release date:  2005/04/29
Vendor Acknowledge date:   2005/02/25
Reported date:             2005/02/21

CVE Name:                  CAN-2005-1062

Other references:          N/A
______________________________________________________________________

Summary:

   Impact:                  Local/remote password cracking

   Rating/Severity:         Medium
   Recommendation:          Update to latest version
                            Enforce network ACLs
                            Enforce password policies

   Vendor:                  Kerio Technologies Inc.

   Affected software:

              o Kerio WinRoute Firewall up to and including 6.0.10

              o Kerio Personal Firewall up to and including 4.1.2

              o Kerio MailServer up to and including 6.0.8

   Updates/Patches:         Yes (see below)
______________________________________________________________________

General Information:

   1. Executive summary:
      ------------------

      Kerio WinRoute Firewall, Kerio Personal Firewall and Kerio
      MailServer drive a local/remote administration protocol in order
      to manage the service.

      This protocol can be abused in order to remotely retrieve user
      credentials through a brute forcing technique. Passwords 1-5
      characters long could be obtained quickly. As such, Kerio considers
      them insecure and recommends enforcing password policies. The
      attack is not practically usable for passwords longer than 5
      characters. User logins must be previously known for this attack to
      be successful.

      The logging component of the software can loose up to 40% of the
      events when the attack is in place.

      In order solve this problem, system administrators should enforce
      network ACL security settings and user password policies. It is
      also highly recommended to verify this settings as part of the
      planning, installation, hardening and auditing processes.

      New versions of the software solve this and other minor problems
      so an upgrade is highly recommended.

   2. Technical details:
      ------------------

      Technical details and proof of concept code were provided to
      vendor.


   3. Risk Assessment factors:
      ------------------------

      The attacker should have access to the administration ports:

        o TCP/UDP 44333 - Kerio WinRoute Firewall Administration

        o TCP/UDP 44334 - Kerio Personal Firewall Administration

        o TCP/UDP 44337 - Kerio MailServer Administration

      Network effective bandwidth between the system and the attacker is
      also an important speed and success factor.

      User logins must be previously known or previously brute forced
      for this attack to be successful.

      Special attention should be taken on environments on which NT,
      Active Directory or Open Directory integration is in place.
      GINA.DLL re-login delay features are bypassed and therefore the
      brute forcing procedure is considerably quicker.

      Local/Domain User Lock-out policies can help on contenting this
      attack. Despite that, an user login denial of service can emerge
      as a side effect.

      The most risky scenarios are the ones in which the server machine
      is shared among two or more interactive users/administrators or
      those situations where Kerio service management have been
      delegated to a third party.

      The weakeness on the logging facility can be a target on its own
      in order to hide any other attack that is being performed
      simultaneously.

      Special care should be taken on such environments and every step
      of the project: design, planning, deployment and management
      should consider this security issues.

      Privilege escalation, system and software tampering and the
      ability to alter service configuration are all real issues and
      all of them can be used as a second stage attack vector.


   4. Solutions and recommendations:
      ------------------------------

      Upgrade to the latest versions:

         o Kerio Winroute Firewall 6.0.11 and above

         o Kerio Personal Firewall 4.1.3 and above

         o Kerio MailServer 6.0.9 and above

      As in any other case, follow, as much as possible, the Industry
      'Best Practices' on Planning, Deployment and Operation on this
      kind of services.


   5. Common Vulnerabilities and Exposures (CVE) project:
      ---------------------------------------------------

      The Common Vulnerabilities and Exposures (CVE) project has
      assigned the name CAN-2005-1062 to this issue. This is a
      candidate for inclusion in the CVE list (http://cve.mitre.org),
      which standardizes names for security problems.

______________________________________________________________________

Acknowledgements:

   1. Special thanks to Vladimir Toncar and the whole Technical Team from
      Kerio Technologies (support at kerio.com) for their quick response
      and professional handling on this issue.

   3. The whole Research Lab at dotpi.com and specially to Carlos Veira.

   3. Secure Computer Group at University of A Coruna (scg at udc.es),
      and specially to Antonino Santos del Riego.

______________________________________________________________________

Credits:

   Javier Munoz (Secure Computer Group) is credited with this discovery.

______________________________________________________________________

Related Links:

   [1] Kerio Technologies Inc.
       http://www.kerio.com/

   [2] Kerio WinRoute Firewall Downloads & Updates
       http://www.kerio.com/kwf_download.html

   [3] Kerio Personal Firewall Downloads & Updates
       http://www.kerio.com/kpf_download.html

   [4] Kerio MailServer Downloads & Updates
       http://www.kerio.com/kms_download.html

   [5] Secure Computer Group. University of A Coruna
       http://research.tic.udc.es/scg/

   [6] Secure Computer Group. Updated advisory
       http://research.tic.udc.es/scg/advisories/20050429-1.txt

   [7] dotpi.com Information Technologies S.L.
       http://www.dotpi.com/

   [8] dotpi.com Research Labs
       http://www.dotpi.com/research/

______________________________________________________________________

Legal notice:

   Copyright (c) 2002-2005 Secure Computer Group. University of A Coruna
   Copyright (c) 2004-2005 dotpi.com Information Technologies S.L.

   Permission is granted for the redistribution of this alert
   electronically. It may not be edited in any way without the express
   written consent of the authors.

   If you wish to reprint the whole or any part of this alert in any
   other medium other than electronically, please contact the authors
   for explicit written permission at the following e-mail addresses:
   (scg at udc.es) and (info at dotpi.com).

   Disclaimer: The information in the advisory is believed to be
   accurate at the time of publishing based on currently available
   information. Use of the information constitutes acceptance for use
   in an AS IS condition.

   There are no warranties with regard to this information. Neither the
   author nor the publisher accepts any liability for any direct,
   indirect, or consequential loss or damage arising from use of, or
   reliance on, this information.
_____________________________________________________________________


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC