Kerio 2.1.5 vs. Kerio 4xx

One would think that keeping the firewall updated with the latest, greatest
version would result in better protection. Yet there are people who
continue using older firewall software.

I realize that a firewall is a firewall and the whole point is to monitor
and grant or deny permission to communicate. It seems like there would
really be no way to improve on such a simple concept. Either a program
communicates or it doesn't, or it communicates wherever you say it can.

So with respect to firewall-specific demands, is there anything that KPF
4.x does that's better than 2.1.5? How important is the monitoring of
applications and its attempts to launch other apps? I'm thinking about
downgrading to 2.1.5 because while there were fewer features, the older
version just seems much simpler to use.

Damaeus

Re: Kerio 2.1.5 vs. Kerio 4xx

On Mon, 15 Nov 2004 20:34:55 GMT, Damaeus
wrote:

>So with respect to firewall-specific demands, is there anything
>that KPF 4.x does that's better than 2.1.5?

Well, it buggers up my (otherwise pretty stable) Win98SE
system much better! 2.1.5 was pathetic in this regard -
I never even noticed it was there, except when someone
tried to access my PC.

>How important is the monitoring of applications and its attempts
>to launch other apps?

Very important, if you really want to screw things up and
see lots of lovely blue screens!

>I'm thinking about downgrading to 2.1.5 because while there were
>fewer features, the older version just seems much simpler to use.

Ditto.

--
Angus Rodgers
(angus_prune@ eats spam; reply to angusrod@)
Contains mild peril

Re: Kerio 2.1.5 vs. Kerio 4xx

In article , no-
mail@hotmail.invalid.net says...
> So with respect to firewall-specific demands, is there anything that KPF
> 4.x does that's better than 2.1.5? How important is the monitoring of
> applications and its attempts to launch other apps? I'm thinking about
> downgrading to 2.1.5 because while there were fewer features, the older
> version just seems much simpler to use.

I like Kerio 2.1.5 much better than 4.1.x in general. However, 2.1.5 IS
subject to the recently mentioned fragmented packet exploit. It seems
that it lets fragmented packets thru the firewall without logging or
otherwise blocking them. IF that's not a concern to you, then 2.1.5
would be the way to go. 4.1.x is still very buggy, with terrible
logging and other problems, however, 4.1.x is not subject to the
fragmented packet problem.

Tough choice..

--
Kerodo

Re: Kerio 2.1.5 vs. Kerio 4xx

>I like Kerio 2.1.5 much better than 4.1.x in general. However, 2.1.5 IS
>subject to the recently mentioned fragmented packet exploit. It seems
>that it lets fragmented packets thru the firewall without logging or
>otherwise blocking them.

That seems to be questionable. The fragmented packet exploit is verified for
Kerio 4.0.0. through 4.1.1, but I haven't seen anything definitive about Kerio
2.x. Many people have interpreted the statement "affects Kerio 4.1.1. and prior"
to mean all versions of Kerio, including 2.x, but it could also just mean prior
Kerio 4.x builds. Considering how different Kerio 4.x is from Kerio 2.x and
considering how popular Kerio 2.1.5 is and how long it has been in use without
this flaw showing up, I have my doubts. It needs to be tested, but I am not in a
position to do so.
--
Dave "Crash" Dummy - A weapon of mass destruction
crash@gpick.com?subject=Techtalk (Do not alter!)
http://lists.gpick.com

Re: Kerio 2.1.5 vs. Kerio 4xx

On Tue, 16 Nov 2004 08:56:01 -0500, "\"Crash\" Dummy"
wrote:

>>I like Kerio 2.1.5 much better than 4.1.x in general. However, 2.1.5 IS
>>subject to the recently mentioned fragmented packet exploit. It seems
>>that it lets fragmented packets thru the firewall without logging or
>>otherwise blocking them.
>
>That seems to be questionable.

Maybe, but it's a fact.

> The fragmented packet exploit is verified for
>Kerio 4.0.0. through 4.1.1, but I haven't seen anything definitive about Kerio
>2.x. Many people have interpreted the statement "affects Kerio 4.1.1. and prior"
>to mean all versions of Kerio, including 2.x, but it could also just mean prior
>Kerio 4.x builds. Considering how different Kerio 4.x is from Kerio 2.x and
>considering how popular Kerio 2.1.5 is and how long it has been in use without
>this flaw showing up, I have my doubts. It needs to be tested, but I am not in a
>position to do so.

I've tested 2.1.5 and it let through every fragmented packet I sent
it. 4.1.1 doesn't seem to be vulnerable, at least not to this:
http://www.snort.org/docs/idspaper/

While Tiny 2.? and Kerio 2.1.5 fell to the first frag attack, 4.1.1
survived all 21 attacks available using fragrouter. ZoneAlarm free,
Jetico and XP firewall SP2 were also tested but not found to be
vulnerable.

I think the problem is that as Kerio haven't announced the
vulnerability people are dubious.

So, who's up for testing? You will need a LAN with 3 computers. An
attacker using any OS, a Linux machine to run fragrouter and a Windows
machine to run Kerio. It's quite easy to do. Full instructions can be
provided. Anyone?

HiS

Re: Kerio 2.1.5 vs. Kerio 4xx

>So, who's up for testing? You will need a LAN with 3 computers. An
>attacker using any OS, a Linux machine to run fragrouter and a Windows
>machine to run Kerio. It's quite easy to do. Full instructions can be
>provided. Anyone?

How about two computers across the internet? I have Kerio 2.1.5 installed on a
W2K machine connected directly to a broadband modem, no router. I am also
running a HTTP server behind the firewall. I can play victim for a prearranged
attack. I will just need to know it's coming and what to look for so I can set
up the system and the logs.
--
Dave "Crash" Dummy - A weapon of mass destruction
crash@gpick.com?subject=Techtalk (Do not alter!)
http://lists.gpick.com

Re: Kerio 2.1.5 vs. Kerio 4xx

In article <10pk1ni4vtro03@corp.supernews.com>, dvader@deathstar.mil
says...
> >I like Kerio 2.1.5 much better than 4.1.x in general. However, 2.1.5 IS
> >subject to the recently mentioned fragmented packet exploit. It seems
> >that it lets fragmented packets thru the firewall without logging or
> >otherwise blocking them.
>
> That seems to be questionable. The fragmented packet exploit is verified for
> Kerio 4.0.0. through 4.1.1, but I haven't seen anything definitive about Kerio
> 2.x. Many people have interpreted the statement "affects Kerio 4.1.1. and prior"
> to mean all versions of Kerio, including 2.x, but it could also just mean prior
> Kerio 4.x builds. Considering how different Kerio 4.x is from Kerio 2.x and
> considering how popular Kerio 2.1.5 is and how long it has been in use without
> this flaw showing up, I have my doubts. It needs to be tested, but I am not in a
> position to do so.
>

I think you're confusing 2 separate exploits. The original one I was
referring to is the one that Hassan tested extensively a few weeks ago.
This is also the one I originally brought up 8 or 9 months ago.
Fragmented packets are able to get right thru Kerio 2.1.5 and earlier,
both TCP and UDP apparently.

The 2nd one is the one that effects Kerio 4.0-4.1.1. That's another
problem altogether, just recently brought up in various forums and here
I think...

At any rate, it appears from this thread that you guys are about to test
it out, so good luck... :)

--
Kerodo

Re: Kerio 2.1.5 vs. Kerio 4xx

On Tue, 16 Nov 2004 14:35:55 -0500, "\"Crash\" Dummy"
wrote:

>>So, who's up for testing? You will need a LAN with 3 computers. An
>>attacker using any OS, a Linux machine to run fragrouter and a Windows
>>machine to run Kerio. It's quite easy to do. Full instructions can be
>>provided. Anyone?
>
>How about two computers across the internet? I have Kerio 2.1.5 installed on a
>W2K machine connected directly to a broadband modem, no router. I am also
>running a HTTP server behind the firewall. I can play victim for a prearranged
>attack. I will just need to know it's coming and what to look for so I can set
>up the system and the logs.

LOL
It would be complicated. I only have one computer with a modem (XP).
Maybe i could install ICS :-( and route the packets from Linux >
fragrouter > XP ICS gateway > inet. The packets should get out' but
I'm not sure they would get back to the right computer. I would have
to check if that works, fragrouter might have to be the last gateway.

Also, with an HTTP server I don't know if you could log the
connection. Kerio certainly won't. You might have to listen on a high
port with netcat or something similar. Then I could delete a file or
run a program maybe. Would you trust me inside your computer?

I'm not sure of the legality either.
It would be easiest if Kerio owned up.

HiS

Re: Kerio 2.1.5 vs. Kerio 4xx

>It would be complicated. I only have one computer with a modem (XP).
>Maybe i could install ICS :-( and route the packets from Linux >
>fragrouter > XP ICS gateway > inet. The packets should get out' but
>I'm not sure they would get back to the right computer. I would have
>to check if that works, fragrouter might have to be the last gateway.

Well, a test across the internet is really the only test that matters.

>Also, with an HTTP server I don't know if you could log the
>connection. Kerio certainly won't. You might have to listen on a high
>port with netcat or something similar. Then I could delete a file or
>run a program maybe. Would you trust me inside your computer?

If you can break in using this vulnerability, you can do anything you like
except mess with the boot sector. It is an expendable, "honeypot" system, not my
regular one, which doesn't use Kerio. That is why I would need advanced warning
to set up the test.

>I'm not sure of the legality either.
>It would be easiest if Kerio owned up.

As long as we both agree, it is legal.

I can be reached at the e-mail address below my sig, but be sure to make
"Techtalk" the subject line, or it will be dropped by the filter.
--
Dave "Crash" Dummy - A weapon of mass destruction
crash@gpick.com?subject=Techtalk (Do not alter!)
http://lists.gpick.com

Re: Kerio 2.1.5 vs. Kerio 4xx

On Wed, 17 Nov 2004 17:40:56 -0500, "Lam Duk"
wrote:

>>It would be complicated. I only have one computer with a modem (XP).
>>Maybe i could install ICS :-( and route the packets from Linux >
>>fragrouter > XP ICS gateway > inet. The packets should get out' but
>>I'm not sure they would get back to the right computer. I would have
>>to check if that works, fragrouter might have to be the last gateway.
>
>Well, a test across the internet is really the only test that matters.
>
>>Also, with an HTTP server I don't know if you could log the
>>connection. Kerio certainly won't. You might have to listen on a high
>>port with netcat or something similar. Then I could delete a file or
>>run a program maybe. Would you trust me inside your computer?
>
>If you can break in using this vulnerability, you can do anything you like
>except mess with the boot sector. It is an expendable, "honeypot" system, not my
>regular one, which doesn't use Kerio. That is why I would need advanced warning
>to set up the test.
>
>>I'm not sure of the legality either.
>>It would be easiest if Kerio owned up.
>
>As long as we both agree, it is legal.
>
>I can be reached at the e-mail address below my sig, but be sure to make
>"Techtalk" the subject line, or it will be dropped by the filter.

Lam Duk?

Re: Kerio 2.1.5 vs. Kerio 4xx

>Lam Duk?

Sorry. Different handle on different system. :-)
--
Dave "Crash" Dummy - A weapon of mass destruction
crash@gpick.com?subject=Techtalk (Do not alter!)
http://lists.gpick.com

Re: Kerio 2.1.5 vs. Kerio 4xx

On Wed, 17 Nov 2004 17:40:56 -0500, "Lam Duk"
wrote:

>>It would be complicated. I only have one computer with a modem (XP).
>>Maybe i could install ICS :-( and route the packets from Linux >
>>fragrouter > XP ICS gateway > inet. The packets should get out' but
>>I'm not sure they would get back to the right computer. I would have
>>to check if that works, fragrouter might have to be the last gateway.
>
>Well, a test across the internet is really the only test that matters.
>
>>Also, with an HTTP server I don't know if you could log the
>>connection. Kerio certainly won't. You might have to listen on a high
>>port with netcat or something similar. Then I could delete a file or
>>run a program maybe. Would you trust me inside your computer?
>
>If you can break in using this vulnerability, you can do anything you like
>except mess with the boot sector. It is an expendable, "honeypot" system, not my
>regular one, which doesn't use Kerio. That is why I would need advanced warning
>to set up the test.
>
>>I'm not sure of the legality either.
>>It would be easiest if Kerio owned up.
>
>As long as we both agree, it is legal.
>
>I can be reached at the e-mail address below my sig, but be sure to make
>"Techtalk" the subject line, or it will be dropped by the filter.

I tried to get XP ICS working but I've deleted too many rpc entries in
the registry, and I can't use dial-up on the Linux computers without
another modem. In a week or two ADSL should be here, maybe we could
try then.

If you like running honeypots have a look at
http://lissi.dusnet.de/LiDuS.zip
for info:
http://lissi.dusnet.de/down.html

Try it on the LAN first to see how it works.

HiS

Re: Kerio 2.1.5 vs. Kerio 4xx

>I tried to get XP ICS working but I've deleted too many rpc entries in
>the registry, and I can't use dial-up on the Linux computers without
>another modem. In a week or two ADSL should be here, maybe we could
>try then.

Some folks over in the GRC newsgroups ran some tests and concluded that Kerio
2.1.5 is not vulnerable.

>If you like running honeypots have a look at

I don't really run "honeypots" in the usual sense. That was a poor choice of
words. I do have expendable temporary systems that I use to evaluate software
before I install it on my permanent, working system.

>Try it on the LAN first to see how it works.

I no longer have a LAN, and in any case, I don't think a test run on a local
network is a realistic test of a WAN vulnerability. If it won't work over the
internet, it is not a threat.

I'm still here and willing to play whenever the mood takes you. Since this
thread is getting old and way down the list, I suggest you contact me by e-mail
if you want to play. I may miss a NG posting.
--
Dave "Crash" Dummy - A weapon of mass destruction
crash@gpick.com?subject=Techtalk (Do not alter!)
http://lists.gpick.com

Re: Kerio 2.1.5 vs. Kerio 4xx

On Mon, 22 Nov 2004 09:21:40 -0500, "\"Crash\" Dummy"
wrote:


>Some folks over in the GRC newsgroups ran some tests and concluded that Kerio
>2.1.5 is not vulnerable.
>


I'd appreciate a link to that as I can't find it on grc.

HiS

Re: Kerio 2.1.5 vs. Kerio 4xx

In article <1g9aq0hg7h7thsot5nim65iocnle2lvkrq@4ax.com>, me@privacy.net
says...
> On Mon, 22 Nov 2004 09:21:40 -0500, "\"Crash\" Dummy"
> wrote:
>
>
> >Some folks over in the GRC newsgroups ran some tests and concluded that Kerio
> >2.1.5 is not vulnerable.
> >
>
>
> I'd appreciate a link to that as I can't find it on grc.
>

I think there are 2 vulnerabilities that are being discussed lately.
There's the fragmented packet one that you and I were talking about, and
then there's another Kerio 4 vulnerability that is recently being
discussed that people are wondering if Kerio 2.x is also vulnerable. It
might help if they clarified which one was being discussed at grc. I
have a feeling it's the other recent one that effects Kerio 4.0-4.1.1.

--
Kerodo

Re: Kerio 2.1.5 vs. Kerio 4xx

Hassan I Sahba wrote in
news:71knp0t9sjt7dnc4n4qdm5ibr4j93efo1h@4ax.com:

> It would be complicated. I only have one computer with a modem (XP).
> Maybe i could install ICS :-( and route the packets from Linux >
> fragrouter > XP ICS gateway > inet. The packets should get out' but
> I'm not sure they would get back to the right computer. I would have
> to check if that works, fragrouter might have to be the last gateway.

If it's so hard for you 2 guys to try it over the Internet, even by
arrangement, then is the vulnerability even worth worrying about? It seems
to me that any such exploit would have to be the result of a personal
attack by someone who knew where I am, and had specific info about my
system. Random port scans by hackers are not going to turn up enough info
for them to single me out. It might be that someone might accidentally hit
me with the right combination to trigger an exploit, but that seems
unlikely to me.

In other words, is this vulnerabilty worth taking seriously?

Re: Kerio 2.1.5 vs. Kerio 4xx

In article <30uvtkF345tilU2@uni-berlin.de>, a@b.c says...
> Hassan I Sahba wrote in
> news:71knp0t9sjt7dnc4n4qdm5ibr4j93efo1h@4ax.com:
>
> > It would be complicated. I only have one computer with a modem (XP).
> > Maybe i could install ICS :-( and route the packets from Linux >
> > fragrouter > XP ICS gateway > inet. The packets should get out' but
> > I'm not sure they would get back to the right computer. I would have
> > to check if that works, fragrouter might have to be the last gateway.
>
> If it's so hard for you 2 guys to try it over the Internet, even by
> arrangement, then is the vulnerability even worth worrying about? It seems
> to me that any such exploit would have to be the result of a personal
> attack by someone who knew where I am, and had specific info about my
> system. Random port scans by hackers are not going to turn up enough info
> for them to single me out. It might be that someone might accidentally hit
> me with the right combination to trigger an exploit, but that seems
> unlikely to me.
>
> In other words, is this vulnerabilty worth taking seriously?

That's a good question. I used it for months even knowing that the
vulnerability existed. Someone would have to specifically target your
IP, hand craft fragmented packets to actually do something, and even
then, it's not clear to me that anything much could actually be done.

I personally decided to go with another firewall (VisNetic/8Signs) but I
imagine many people will just continue to use 2.1.5. The odds of
something happening are rather slim I would think though...

--
Kerodo

Re: Kerio 2.1.5 vs. Kerio 4xx

>If it's so hard for you 2 guys to try it over the Internet, even by
>arrangement, then is the vulnerability even worth worrying about?

My sentiments, exactly. That's why I volunteered to be the Crash Dummy. The only
"verification" of this "vulnerability" involved a complicated setup over a local
network. If it doesn't work over the internet armed only with an IP, who cares?
--
Dave "Crash" Dummy - A weapon of mass destruction
crash@gpick.com?subject=Techtalk (Do not alter!)
http://lists.gpick.com

Re: Kerio 2.1.5 vs. Kerio 4xx

On Wed, 24 Nov 2004 16:41:13 -0800, Kerodo
wrote:

>In article <1g9aq0hg7h7thsot5nim65iocnle2lvkrq@4ax.com>, me@privacy.net
>says...
>> On Mon, 22 Nov 2004 09:21:40 -0500, "\"Crash\" Dummy"
>> wrote:
>>
>>
>> >Some folks over in the GRC newsgroups ran some tests and concluded that Kerio
>> >2.1.5 is not vulnerable.
>> >
>>
>>
>> I'd appreciate a link to that as I can't find it on grc.
>>
>
>I think there are 2 vulnerabilities that are being discussed lately.
>There's the fragmented packet one that you and I were talking about, and
>then there's another Kerio 4 vulnerability that is recently being
>discussed that people are wondering if Kerio 2.x is also vulnerable. It
>might help if they clarified which one was being discussed at grc. I
>have a feeling it's the other recent one that effects Kerio 4.0-4.1.1.

I found a post called "KPF 2.1.5 *IS NOT* vulnerable" on grc, but it
referred to a DOS vulnerability, so I assumed it was not the one Crash
Dummy referred to. Maybe it was.

Re: Kerio 2.1.5 vs. Kerio 4xx

On 28 Nov 2004 21:57:09 GMT, elaich wrote:

>Hassan I Sahba wrote in
>news:71knp0t9sjt7dnc4n4qdm5ibr4j93efo1h@4ax.com:
>
>> It would be complicated. I only have one computer with a modem (XP).
>> Maybe i could install ICS :-( and route the packets from Linux >
>> fragrouter > XP ICS gateway > inet. The packets should get out' but
>> I'm not sure they would get back to the right computer. I would have
>> to check if that works, fragrouter might have to be the last gateway.
>
>If it's so hard for you 2 guys to try it over the Internet, even by
>arrangement, then is the vulnerability even worth worrying about?

The difficulty here is that fragrouter runs on Linux/BSD, and I have a
winmodem. To test it online I would have to buy another modem and then
figure out how to configure dial-up on Linux/BSD, which would be a
waste of time and money as I have broadband now. To anyone with a
Linux/BSD gateway it would be a doddle.

> It seems to me that any such exploit would have to be the result of a personal
>attack by someone who knew where I am, and had specific info about my
>system. Random port scans by hackers are not going to turn up enough info
>for them to single me out. It might be that someone might accidentally hit
>me with the right combination to trigger an exploit, but that seems
>unlikely to me.

Kerio 2.1.5 machines are easy to find on the internet. It's more
likely to be a random attack than a personal attack.

>In other words, is this vulnerabilty worth taking seriously?

It depends if you take security seriously. Do you install OS updates
or not bother because you are unlikely to be targeted by the latest
exploit? If Kerio announced this vulnerability and released an update
would you ignore it because you think you are an unlikely target?

I have an umbrella with a big hole, it keeps me dry when it's not
raining. ;o)

HiS

Re: Kerio 2.1.5 vs. Kerio 4xx

On Sun, 28 Nov 2004 21:29:36 -0800, Kerodo
wrote:


>That's a good question. I used it for months even knowing that the
>vulnerability existed. Someone would have to specifically target your
>IP, hand craft fragmented packets to actually do something, and even
>then, it's not clear to me that anything much could actually be done.

It's much simpler than that. Enter "fragrouter -F1" in a shell on a
Linux/BSD gateway and everything that goes out gets past Kerio.

HiS

Re: Kerio 2.1.5 vs. Kerio 4xx

On Mon, 29 Nov 2004 10:03:17 -0500, "\"Crash\" Dummy"
wrote:

>>If it's so hard for you 2 guys to try it over the Internet, even by
>>arrangement, then is the vulnerability even worth worrying about?
>
>My sentiments, exactly. That's why I volunteered to be the Crash Dummy. The only
>"verification" of this "vulnerability" involved a complicated setup over a local
>network. If it doesn't work over the internet armed only with an IP, who cares?

It's not complicated if you have the hardware and are already set up
to use Linux/BSD to connect to the internet.

HiS

Re: Kerio 2.1.5 vs. Kerio 4xx

Hassan I Sahba wrote in
news:1g9vq0t6cphkf77h1v55cj1ctsqd11sqh7@4ax.com:

> It depends if you take security seriously. Do you install OS updates
> or not bother because you are unlikely to be targeted by the latest
> exploit?

Since my OS is quite mature and hasn't had a critical update in several
years, not. The same is true of KPF 2.1.5.


>If Kerio announced this vulnerability and released an update
> would you ignore it because you think you are an unlikely target?

No, I wouldn't if it came from Kerio.

I still have yet to hear of one single validated case of this being
exploited outside of laboratory conditions. Since the vulnerability has
been there for years and there isn't a documented case of it being
exploited, I still maintain it's nothing to get your panties in a bunch
over.