Kerio Personal Firewall DOS Vulnerability

From: Abraham Lincoln (sunninja@scientist.com)
Date: 08/26/02


From: "Abraham Lincoln" <sunninja@scientist.com>
To: bugtraq@securityfocus.com
Date: Mon, 26 Aug 2002 21:59:22 +0800

NSSI-Research Labs Security Advisory

http://www.nssolution.com (Philippines/.ph)

"Maximum e-security"

http://nssilabs.nssolution.com

Kerio Personal Firewall 2.x.x Denial of Service Vulnerability

Author: Abraham Lincoln Hao / SunNinja

e-Mail: abraham@nssolution.com / SunNinja@Scientist.com

Advisory Code: NSSI-2002-keriopfw

Tested: Under Win2k Advance Server with SP3 / WinNT 4.0 with SP6a

Vendor Status: Vendor inform us to release new version and hopefully it would patch the vulnerability.

Vendors website: http://www.kerio.com
Severity: High

Overview:

     Kerio Personal Firewall (KPF) is a software agent that builds a barrier between your personal computer and the Internet. KPF is designed to protect your PC against attacks from both the Internet, and other computers in the local network.
    Kerio Personal Firewall 2.x.x for windows platform contains Denial of Service vulnerability. These vulnerability could allow an attacker to hang-up the host and CPU utilization will hit up to 100%.  Even if your hosts tcp/ip stack is hardened. .

Details:

Test bed:
   [*Nix b0x with Synflooder] <===[10/100mbps switch===> [Host with KPF]

 1] DoS vulnerability with Kerio Personal Firewall 2.x.x Default Installation
    - KPF is vulnerable with Synflood attack by sending minimum of 300 syn packets the target host will stop from responding, 100% of the CPU utilization will be consumed and eventually hangs-up the machine.

2] Setting the Personal firewall to High Security and Block all services and Protocols.
    - It is quite similar to the first one but the personal firewall is configured to block all services and protocols. After sending a minimum of 500 syn packets from port 1-1024. The host will stop from responding, 100% of the CPU utilization will be consumed.

Workaround:
1] Disable the Personal Firewall or Stop the KPF service. Wiindows with latest security patch or hotfix alone can handle 300-500 syn packets from a single host.

Any Questions? Suggestions? or Comments? let us know. (feel free)
e-mail: nssilabs@nssolution.com / abraham@nssolution.com / infosec@nssolution.com

greetings:
   Lawless the saint ;), dig0, b45h3r, jethro, nssilabs team ;), mr. d.f.a and to our webmaster raymund (R2/D2)

-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup



Relevant Pages

  • Administrivia: Response to OIS Draft on "Security Vulnerability and Response Process"
    ... vulnerability or not. ... to see what they can expect, at each Vendor, or for each Coordinator, ... and possibly a lot longer if the Finder doesn't pester ... security of users, critical infrastructures, and the Internet"...and ...
    (NT-Bugtraq)
  • Re: [Full-Disclosure] Vulnerability Disclosure Debate
    ... You see, with a lock, the primary purpose of it is ... or of other requirements than personal security. ... there is only one vendor that I'm aware of that can do that -- Microsoft ... code for every vulnerability eliminates the notion of difficulty to exploit, ...
    (Full-Disclosure)
  • Re: [Full-Disclosure] Vulnerability Disclosure Debate
    ... You see, with a lock, the primary purpose of it is ... or of other requirements than personal security. ... there is only one vendor that I'm aware of that can do that -- Microsoft ... code for every vulnerability eliminates the notion of difficulty to exploit, ...
    (Full-Disclosure)
  • Re: Using 0days as part of pen-test?
    ... the client the option to determine how the vendor gets notified. ... vulnerability information you discover during ... The legal issue isn't the disclosure process, you can act as "legal entity" ... security threats until the vendor release a patch. ...
    (Pen-Test)
  • Re: Call to arms - INFORMATION ANARCHY
    ... Its one thing to prove to a Vendor they have a problem in their code. ... and its not resolved by keeping "Full Disclosure" alive. ... > the Vendor for a vulnerability without accepting responsibility for your ... > feed the feature versus security mentality of many Vendors. ...
    (NT-Bugtraq)