Re: Huge security hole in Kerio 2.1.5

From: Laurent (Laurent.Grenet.Enlevez-Ca_at_Voila.fr)
Date: 03/06/05


Date: Sun, 06 Mar 2005 22:59:24 +0100

Bart Bailey a écrit le 06/03/2005 :
> In Message-ID:<mn.32a47d535e4a7abd.2067@Voila.fr> posted on Sun, 06 Mar
> 2005 11:16:31 +0100, Laurent wrote: Begin
>
>> Bart Bailey a écrit le 06/03/2005 :
>>> Also do you know where I might be able to test my config for this
>>> fragpacket vulnerability? some probe site maybe?
>>
>> You can run the test I describe in the first post of this thread.
>
> Seems to have disappeared from my spool, but I think it involved me
> having to do some deliberate crippling action to my config in order to
> create a non-standard config. If that's the case, I have no worries,
> thanks.

Here is the very simple test :

About Kerio issue, this is the very simple test I've been suggested to
do... and whose result is a little bit frightening :
- Create a Kerio rule denying all Input ICMP (anwsers to ping request),
and put this rule in 1st position
- ping whoever_you_want : no answer. OK.
- ping -l 5000 whoever_you_want : damned, you get answer ! (-l
parameter, setting a packet size above MTU obliged ping to fragment)

Even more serious : don't even add any rule, but with systray icon,
have the choice "Stop traffic" (or something like that, my own Kerio is
in french, and I don't know the exact label in english)
Even in this case, "simple" ping doesn't work, but "fragmented" ping
does...

-- 
Laurent GRENET


Relevant Pages

  • Re: Possible Kerio Vulnerability Workaround
    ... > and a reboot shouldn't be needed. ... > fragmented packets using ping or hping. ... aren't blocked by Kerio despite a rule blocking all ICMP... ...
    (comp.security.firewalls)
  • Re: Kerio 2.1.5: handling fragmented packets
    ... Returned Data: 01234567890123456789 ... Ping Successful ... (set to block but not logged by kerio) ... ERROR - UNKNOWN REASON ...
    (comp.security.firewalls)
  • Re: Kerio Firewall - permit or block these....?
    ... Kerio do a lot of it by you telling it to block. ... connection as hackers TCP Ping mass ranges of IPon a dial-up ISP ... What you should do is get a NAT router with SPI and get behind it. ...
    (comp.security.firewalls)
  • Huge security hole in Kerio 2.1.5
    ... I've just been told that Kerio 2.1.5, which was considered to be the ... fragmented packets, and thus wouldn't be efficient toward an attack ... Create a Kerio rule denying all Input ICMP (anwsers to ping request), ...
    (comp.security.firewalls)
  • Huge security hole in Kerio 2.1.5
    ... I've just been told that Kerio 2.1.5, which was considered to be the ... fragmented packets, and thus wouldn't be efficient toward an attack ... Create a Kerio rule denying all Input ICMP (anwsers to ping request), ...
    (microsoft.public.security)