[VulnWatch] [CAN-2004-1022] Insecure Credential Storage on Kerio Software

From: Secure Computer Group (scg_at_udc.es)
Date: 12/14/04

  • Next message: Secure Computer Group: "[VulnWatch] [CAN-2004-1023] Insecure default file system permissions on Microsoft versions of Kerio Software"
    Date: Tue, 14 Dec 2004 11:18:54 +0100
    To: vulnwatch@vulnwatch.org
    
    

    ______________________________________________________________________

                Secure Computer Group - University of A Coruna
                        http://research.tic.udc.es/scg/

                                   -- x --

               dotpi.com Information Technologies Research Labs
                             http://www.dotpi.com

    ______________________________________________________________________

    ID: #20041214-1
    Document title: Insecure Credential Storage on Kerio
                                Software
    Document revision: 1.0

    Coordinated release date: 2004/12/14
    Vendor Acknowledge date: 2004/10/06
    Reported date: 2004/10/01

    CVE Name: CAN-2004-1022

    Other references: N/A
    ______________________________________________________________________

    Summary:

       Impact: Insecure Credential Storage
       Rating/Severity: Medium
       Recommendation: Update to latest version

       Vendor: Kerio Technologies Inc.

       Affected software: Kerio WinRoute Firewall (all versions)
                                Kerio ServerFirewall (all versions)
                                Kerio MailServer (all versions)

       Updates/Patches: Yes (see below)
    ______________________________________________________________________

    General Information:

       1. Executive summary:
          ------------------

          As a result of its collaboration relationship the Secure Computer
          Group (SCG) along with dotpi.com Research Labs have determined
          this security issue on Kerio WinRoute Firewall (KWF), Kerio
          ServerFirewall (KSF) and Kerio MailServer (KMS).

          KWF, KSF and KMS user credential database system uses symmetric
          encryption to protect passwords stored on it.

          Anyone with a cyphertext of this database (that is, with access to
          the configuration files) could reverse the encryption using a
          universal secret key hidden into the program logic.

          New versions of the software solve this and other minor problems
          so it is upgrade its highly recommended.

       2. Technical details:
          ------------------

          Following the latest trends and approaches to responsible
          disclosure, SCG and dotpi.com are going to withhold details of
          this flaw for three months.

          Full details will be published on 2005/03/14. This three month
          window will allow system administrators the time needed to
          obtain the patch before the details are released to the general
          public.

       3. Risk Assessment factors:
          ------------------------

          The attacker needs access to the user database, which is not
          normally a usual condition on a properly hardened firewall and/or
          mail server.

          Despite this, special care should be taken on shared environments
          where more than one technical staff work together on the firewall
          and/or the mail server. This kind of scenarios offer a potential
          opportunity for the insiders on the work of stealing identities
          and, therefore, breaking access control measures.

          It is also important to note that this could be an important
          second-stage resource for a successful attacker on an already
          compromised firewall and/or mail server.

       4. Solutions and recommendations:
          ------------------------------

         Upgrade to the latest versions:

                  o Kerio Winroute Firewall 6.0.9

                  o Kerio ServerFirewall 1.0.1

                  o Kerio MailServer 6.0.5

          As in any other case, follow, as much as possible, the Industry
          'Best Practices' on Planning, Deployment and Operation on this
          kind of services.

          Note:

          Kerio Winroute Firewall 6.0.7 fixed CAN-2004-1022. Kerio Winroute
          Firewall 6.0.9 is the current version fixing CAN-2004-1022 and
          CAN-2004-1023

       5. Common Vulnerabilities and Exposures (CVE) project:
          ---------------------------------------------------

          The Common Vulnerabilities and Exposures (CVE) project has
          assigned the name CAN-2004-1022 to this issue. This is a
          candidate for inclusion in the CVE list (http://cve.mitre.org),
          which standardizes names for security problems.

    ______________________________________________________________________

    Acknowledgements:

       1. Special thanks to Vladimir Toncar and Pavel Dobry and the whole
          Technical Team from Kerio Technologies (support at kerio.com)
          for their quick response and professional handling on this issue.

       3. The whole Research Lab at dotpi.com and specially to Carlos Veira
          for his leadership and support.

       3. Secure Computer Group at University of A Coruna (scg at udc.es),
          and specially to Antonino Santos del Riego powering new research
          paths at University of a Coruna.

    ______________________________________________________________________

    Credits:

       Javier Munoz (Secure Computer Group) is credited with this discovery.

    ______________________________________________________________________

    Related Links:

       [1] Kerio Technologies Inc.
           http://www.kerio.com/

       [2] Kerio WinRoute Firewall Downloads & Updates
           http://www.kerio.com/kwf_download.html

       [3] Kerio ServerFirewall Downloads & Updates
           http://www.kerio.com/ksf_download.html

       [4] Kerio MailServer Downloads & Updates
           http://www.kerio.com/kms_download.html

       [5] Secure Computer Group. University of A Coruna
           http://research.tic.udc.es/scg/

       [6] Secure Computer Group. Updated advisory
           http://research.tic.udc.es/scg/advisories/20041214-1.txt

       [7] dotpi.com Information Technologies S.L.
           http://www.dotpi.com/

       [8] dotpi.com Research Labs
           http://www.dotpi.com/research/

    ______________________________________________________________________

    Legal notice:

       Copyright (c) 2002-2004 Secure Computer Group. University of A Coruna
       Copyright (c) 2004 dotpi.com Information Technologies S.L.

       Permission is granted for the redistribution of this alert
       electronically. It may not be edited in any way without the express
       written consent of the authors.

       If you wish to reprint the whole or any part of this alert in any
       other medium other than electronically, please contact the authors
       for explicit written permission at the following e-mail addresses:
       (scg at udc.es) and (info at dotpi.com).

       Disclaimer: The information in the advisory is believed to be
       accurate at the time of publishing based on currently available
       information. Use of the information constitutes acceptance for use
       in an AS IS condition.

       There are no warranties with regard to this information. Neither the
       author nor the publisher accepts any liability for any direct,
       indirect, or consequential loss or damage arising from use of, or
       reliance on, this information.
    _____________________________________________________________________


  • Next message: Secure Computer Group: "[VulnWatch] [CAN-2004-1023] Insecure default file system permissions on Microsoft versions of Kerio Software"

    Relevant Pages