Re: Kerio 2.1.5 vulnerability

From: Kerodo (loopback_at_localhost.com)
Date: 11/06/04 

Date: Sat, 6 Nov 2004 12:48:50 -0800

In article <10oqc82av1et089@corp.supernews.com>, mock@turtle.com says...
> On Fri, 5 Nov 2004 16:59:01 -0800, Kerodo <loopback@localhost.com>
> wrote:
>
> |In article <sm6oo09u1outk79oj2mriqeb53da5fcdir@4ax.com>, me@privacy.net
> |says...
> |> So it seems any packet with the fragment bit set goes straight through
> |> the firewall, and kerio only logs plain SYN packets.
> |> This vulnerability is nearly 7 YEARS OLD, so there must be people
> |> exploiting it by now. Nice one Kerio. How long have they known this?
> |> Do they not try and enumerate their own firewall?
> |> If they didn't know they are fools and I can no longer trust them.
> |> If they did know and didn't withdraw Kerio I can no longer trust them.
> |
> |I am the one who originally wrote about the fragmented packet
> |vulnerability. I noticed it here many months ago, and have never been
> |able to get anyone else to listen or verify it. I will not use Kerio
> |2.1.5 any more because of this problem. It's clear to me that Kerio
> |2.1.5 does NOT handle fragmented packets properly, and that they DO get
> |in thru the firewall.
> |
> |The only reason why I noticed it is because the Messenger spammers are
> |using this exploit to get spam packets thru firewalls that don't handle
> |fragmented packets properly. They typically come in with a fragmented
> |packet to port 1026. In Kerio 2, you will see an outbound ICMP type 3
> |as a result of the inbound packet getting thru.
> |
> |At any rate, what you are seeing there is true. I have verified it here
> |many times.
> |
> |>
> |> So what next I thought. ZoneAlarm of course. I got
> |> zls-free-Setup51033000.exe and installed it. I had to clean kerio
> |> from the registry by hand first as it didn't uninstall cleanly.
> |> ZoneAlarm wasn't vulnerable (but I don't like it). Next I tried Kerio
> |> 4.1.1. Not vulnerable (but my trust is gone).
> |
> |Strangely enough, Kerio 4.x.x does NOT have the same problem. I'm using
> |Kerio 4.1.2 right now with my Kerio 2 rule set without any problems,
> |other than poor logging. I believe they re-wrote Kerio 4 from scratch
> |so it does not have the fragmented packet processing problem that Kerio
> |2 does. Or if it is based on Kerio 2, then they fixed the problem.
> |I've tested it quite a bit.
> |
> |> With info from the above links and a little knowledge of Kerio it's
> |> easy to locate and connect to Kerio 2.1.5 boxes.
> |> What next? It's format and reinstall windows for me.
> |>
> |> HiS
> |
> |Kerio 2.1.5 (and earlier) is the only firewall I've found that has
> |problems with fragmented packets, and I've tried MANY others and
> |checked. I think you can probably trust most of the others, including
> |Sygate, ZoneAlarm, VisNetic, Outpost, Jetico and so on..
> |
> |Until I discovered that problem, Kerio 2.1.5 was my favorite firewall.
> |I hated parting with it. I have not seen any harmful exploits of this
> |vulnerability yet, and I doubt that most people would anyway, but it
> |bothers me enough to discontinue it's use and switch to something more
> |secure.
>
> Sorry if this is a dumb question, but ...
>
> If I have Kerio 2.1.5 running, but it has a problem letting fragmented
> packets through, can I close that hole with a rule in the D-Link
> DI-604 router firewall? The router is new and I don't understand yet
> what rules I need to put into its firewall. There are quite a few
> rules in Kerio which I had running before I got the router.

I don't have a router myself, so I know very little about them, but I
would think that if you do have a router, then this fragmented packet
stuff would not be an issue. The router should block all unsolicited
inbound traffic by default (correct me someone if I'm wrong...). You
would be using Kerio mostly for outbound application control, which is
not one of it's strong points anyway. Any good firewall can do that,
including ZA and so on. 

-- 
Kerodo

Relevant Pages

  • Re: Attack detection in Kerio PF
    ... The closest I get is seeing the arrow in my system tray icon ... >>indicates outgoing packets. ... Your firewall was blocking the outgoing packets. ... Kerio kept asking for permissions after I ...
    (comp.security.firewalls)
  • Re: Attack detection in Kerio PF
    ... The closest I get is seeing the arrow in my system tray icon ... >>indicates outgoing packets. ... Your firewall was blocking the outgoing packets. ... Kerio kept asking for permissions after I ...
    (comp.security.firewalls)
  • Re: Kerio 2.1.5 Vulnerability
    ... >>person is able to get packets to any port past the firewall if they wish. ... >>I researched this and posted in varous Kerio forums, ... > Description: Other ICMP ...
    (comp.security.firewalls)
  • RE: [Full-Disclosure] A new TCP/IP blind data injection technique ?
    ... > fragmented packets and there is NO option to change this. ... > firewall or connecting to any services out side the firewall with the ... The Cisco Pix has an IP fragment database. ... The information contained in this email and any attachments is ...
    (Full-Disclosure)
  • Kerio 2.1.5 vulnerability
    ... Linux ipchains Firewall Vulnerability ... As I used Kerio I put it in the 2do list as something to play with, ... Log Suspicious Packets. ... When sending a SYN to an open or closed port I got no reply. ...
    (comp.security.firewalls)