[CAN-2005-1063] Administration protocol abuse leads to Service and System Denial of Service

---

        Secure Computer Group - University of A Coruna
                http://research.tic.udc.es/scg/

                           -- x --

       dotpi.com Information Technologies Research Labs
                     http://www.dotpi.com

---

ID: #20050429-2
Document title: Administration protocol abuse leads to
Service and System Denial of Service
Document revision: 1.0

Coordinated release date: 2005/04/29
Vendor Acknowledge date: 2005/02/25
Reported date: 2005/02/21

CVE Name: CAN-2005-1063

Other references: N/A

---

Summary:

Impact: Service denial of service (DoS)
CPU hogging denial of service (DoS)

Rating/Severity: Medium
Recommendation: Update to latest version
Enforce network ACLs

Vendor: Kerio Technologies Inc.

Affected software:

          o Kerio WinRoute Firewall up to and including 6.0.10

          o Kerio Personal Firewall up to and including 4.1.2

          o Kerio MailServer up to and including 6.0.8

Updates/Patches: Yes (see below)

---

General Information:

1. Executive summary:

   Kerio WinRoute Firewall, Kerio Personal Firewall and Kerio
   MailServer drive a local/remote administration protocol in order
   to manage the service.

   This protocol can be abused in pre-authentication states forcing
   the service to compute unexpected conditions and also to perform
   cryptographic operations over each protocol message.

   As a result, system resources get exhausted and the system
   becomes unresponsive. A sufficient network bandwidth between the
   system and the attacker is required for the attack.

   It must be noted that the limit of maximun number of user
   connections can also be used to perform a service denial of
   service and that no valid authentication is required for this to
   succeed.

   The logging component of the software ignores any event related
   with this attack.

   In order solve this problem, system administrators should enforce
   network ACL security settings. It is also highly recommended to
   verify this settings as part of the planning, installation,
   hardening and auditing processes.

   New versions of the software solve this and other minor problems
   so an upgrade is highly recommended.

2. Technical details:

   Technical details and proof of concept code were provided to
   vendor.

3. Risk Assessment factors:

   The attacker should have access to the administration ports:

   o TCP/UDP 44333 - Kerio WinRoute Firewall Administration

   o TCP/UDP 44334 - Kerio Personal Firewall Administration

   o TCP/UDP 44337 - Kerio MailServer Administration

   The most risky scenarios are the ones in which the server machine
   is shared among two or more interactive users/administrators or
   those situations where Kerio service management have been
   delegated to a third party.

   Special care should be taken on such environments and every step
   of the project: design, planning, deployment and management
   should consider this security issues.

4. Solutions and recommendations:

   Upgrade to the latest versions:

   o Kerio Winroute Firewall 6.0.11 and above

   o Kerio Personal Firewall 4.1.3 and above

   o Kerio MailServer 6.0.9 and above

   As in any other case, follow, as much as possible, the Industry
   'Best Practices' on Planning, Deployment and Operation on this
   kind of services.

5. Common Vulnerabilities and Exposures (CVE) project:

   The Common Vulnerabilities and Exposures (CVE) project has
   assigned the name CAN-2005-1063 to this issue. This is a
   candidate for inclusion in the CVE list (http://cve.mitre.org),
   which standardizes names for security problems.

---

Acknowledgements:

1. Special thanks to Vladimir Toncar and the whole Technical Team from
   Kerio Technologies (support at kerio.com) for their quick response
   and professional handling on this issue.

2. The whole Research Lab at dotpi.com and specially to Carlos Veira.

3. Secure Computer Group at University of A Coruna (scg at udc.es),
   and specially to Antonino Santos del Riego.

---

Credits:

Javier Munoz (Secure Computer Group) is credited with this discovery.

---

Related Links:

[1] Kerio Technologies Inc.
http://www.kerio.com/

[2] Kerio WinRoute Firewall Downloads & Updates
http://www.kerio.com/kwf_download.html

[3] Kerio Personal Firewall Downloads & Updates
http://www.kerio.com/kpf_download.html

[4] Kerio MailServer Downloads & Updates
http://www.kerio.com/kms_download.html

[5] Secure Computer Group. University of A Coruna
http://research.tic.udc.es/scg/

[6] Secure Computer Group. Updated advisory
http://research.tic.udc.es/scg/advisories/20050429-2.txt

[7] dotpi.com Information Technologies S.L.
http://www.dotpi.com/

[8] dotpi.com Research Labs
http://www.dotpi.com/research/

---

Legal notice:

Copyright (c) 2002-2005 Secure Computer Group. University of A Coruna
Copyright (c) 2004-2005 dotpi.com Information Technologies S.L.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of the authors.

If you wish to reprint the whole or any part of this alert in any
other medium other than electronically, please contact the authors
for explicit written permission at the following e-mail addresses:
(scg at udc.es) and (info at dotpi.com).

Disclaimer: The information in the advisory is believed to be
accurate at the time of publishing based on currently available
information. Use of the information constitutes acceptance for use
in an AS IS condition.

There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

---