Possible Kerio Vulnerability Workaround

[Hassan I Sahba]

First let me tell you about Kerio. I reported this frag problem to
them on 16/12/04. They said it's several years out of date and is not
sold or supported. I asked them if the exploit concerned them and they
told me not to contact them again. No more replies. _|_

Many people still like Tiny/Kerio 2.x and will continue to use it
despite Kerio's lack of concern for their security(dig). So:
This works on XP. Do registry backups.

Go to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
make a new DWORD Value
EnableFragmentChecking
edit it and change the value to 1
Make sure it's in
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters
and a reboot shouldn't be needed.

This should stop the XP stack processing fragmented packets, so they
should be rejected before they get to Tiny/Kerio. It should work for
2k/03 as well, I haven't checked 9.x
To check it works before making the registry change, send out some
fragmented packets using ping or hping. After the change the packets
will time out as the stack drops them.

HiS

 

[Leythos]

Many people still like Tiny/Kerio 2.x and will continue to use it
despite Kerio's lack of concern for their security(dig). So:

I have a question, not being a smart-ass or anything, but if the vendor
stopped supporting the product, and you've found a flaw in an unsupported
product, why would you expect the vendor to provide a fix for the
unsupported product?

Now, if you were to find a flaw in the current product and they were to
disregard the flaw, that would be a concern.

 

[Laurent]

Hassan I Sahba a écrit le 06/03/2005 :

First let me tell you about Kerio. I reported this frag problem to
them on 16/12/04. They said it's several years out of date and is not
sold or supported. I asked them if the exploit concerned them and they
told me not to contact them again. No more replies. _|_

Many people still like Tiny/Kerio 2.x and will continue to use it
despite Kerio's lack of concern for their security(dig). So:
This works on XP. Do registry backups.

Go to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
make a new DWORD Value
EnableFragmentChecking
edit it and change the value to 1
Make sure it's in
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters
and a reboot shouldn't be needed.

This should stop the XP stack processing fragmented packets, so they
should be rejected before they get to Tiny/Kerio. It should work for
2k/03 as well, I haven't checked 9.x
To check it works before making the registry change, send out some
fragmented packets using ping or hping. After the change the packets
will time out as the stack drops them.

HiS

Thank you for the idea.... but unfortunately, it doesn't work !
To be sure, I've rebooted my Pc in order to augment the probability the
update is taken into account, and even after this reboot, ping -l 5000
whichever_you_want continues to send fragmented pings... which still
aren't blocked by Kerio despite a rule blocking all ICMP...

 

[Hassan I Sahba]

I have a question, not being a smart-ass or anything, but if the vendor
stopped supporting the product, and you've found a flaw in an unsupported
product, why would you expect the vendor to provide a fix for the
unsupported product?>

This flaw was public in 1999 and affected many firewalls. Everyone but
Tiny/Kerio fixed the problem. I've only verified that Tiny/Kerio are
still vulnerable.
I don't expect a fix, I expect them to announce the problem and let
their users know they are at risk.

Now, if you were to find a flaw in the current product and they were to
disregard the flaw, that would be a concern.

It was a current product when the exploit was known, and the other
vendors fixed it.

Tiny/Kerio 2.x has serious problems that need to be officially
announced. I'd suggest Tiny/Kerio users email support and ask if the
software is safe to use.

I seem to remember you saying you used PF's on laptops. Do you, or any
of your clients use Tiny/Kerio?

HiS

 

[Leythos]

I seem to remember you saying you used PF's on laptops. Do you, or any
of your clients use Tiny/Kerio?

Sure we do, but we also don't keep OLD firewall products on our systems,
we tend to stay one rev behind unless there is a compelling reason to use
the current version.

Your version is way outdated.

 

[Hassan I Sahba]

Sure we do, but we also don't keep OLD firewall products on our systems,
we tend to stay one rev behind unless there is a compelling reason to use
the current version.

Your version is way outdated.

Sorry. I meant to ask if you or your clients use Tiny/Kerio 2.x?

HiS

 

[Leythos]

Sorry. I meant to ask if you or your clients use Tiny/Kerio 2.x?

No, we would never install a program that requires understanding at that
level for them If a client is in need of a personal firewall for their
laptop we install ZAP and keep it updated. If this is for the office it's
a real firewall appliance, and for their homes we use routers with NAT/SPI.

General users don't know enough to properly setup Tiny/Kerio and we don't
run 2.x on any of them.

What you need to do is get off the horse and update to one of the fixed
versions and stop wasting your time on such an old version. Why do you
think companies release new software and not just updates.

 

[Alastair Smeaton]

What you need to do is get off the horse and update to one of the fixed
versions and stop wasting your time on such an old version. Why do you
think companies release new software and not just updates.

Kerio 4.x seems to be generally regarded as bloatware and buggy -
certainly when I tried it, it caused major problems.

Some people are happy with older versions, if it works for them. I
take your point though made earlier, that Kerio 2.x requires user
understanding, and is therefore not for everyone.

 

[mhicaoidh]

Taking a moment's reflection, Hassan I Sahba mused:
|
| This flaw was public in 1999 and affected many firewalls. Everyone but
| Tiny/Kerio fixed the problem. I've only verified that Tiny/Kerio are
| still vulnerable.

That's not anywhere near being accurate. Kerio *did* fix it in version
4. Kerio 2.x has been discontinued for a very long time ... they aren't
going to fix what is no longer being developed. I still use 2.1.4, but I
don't understand why so many people get so up in arms over a security hole
discovered in a piece of software that has been discontinued for years.

 

[Kerodo]

Taking a moment's reflection, Hassan I Sahba mused:
|
| This flaw was public in 1999 and affected many firewalls. Everyone but
| Tiny/Kerio fixed the problem. I've only verified that Tiny/Kerio are
| still vulnerable.

That's not anywhere near being accurate. Kerio *did* fix it in version
4. Kerio 2.x has been discontinued for a very long time ... they aren't
going to fix what is no longer being developed. I still use 2.1.4, but I
don't understand why so many people get so up in arms over a security hole
discovered in a piece of software that has been discontinued for years.

Mostly fear I suspect. I think most people have concluded that nothing
harmful can happen as a result of it. A few frag'd packets may slip thru,
but any response to them will be blocked by Kerio, so what's the problem?
I don't see how any harm can come from it. But maybe I'm missing
something?

 

[EA]

Mostly fear I suspect. I think most people have concluded that
nothing harmful can happen as a result of it. A few frag'd
packets may slip thru, but any response to them will be blocked by
Kerio, so what's the problem? I don't see how any harm can come
from it. But maybe I'm missing something?

It is a very minor "vulnerability." Basically, the only thing that
happens is that you can lose your stealth status, i.e., the person
sending the packets will know that your machine is there. It will
not be possible to connect to your system. I find it odd that this
vulnerability gets so much publicity in this forum the moment that
there are other, far more serious vulnerabilities that affect many
firewalls, old and new...

E.

 

[elaich]

Updates are not always good, and they don't always make the product
better. In many cases, software reaches a point where it is just right,
and further attempts to improve or add to it start it down the road to
bloatware. That is certainly the case with Kerio 2.1.5.

Kerio 4.x seems to be generally regarded as bloatware and buggy -
certainly when I tried it, it caused major problems.

Utter garbage. I tried it here and it slowed my computer down to a crawl.

Now cue at least 3 people who will chime in that "it works fine for me."
If it does, great. But there are many people that it has not worked
"fine" for, something that is easily verifiable by doing a little
Googling. Horror stories abound.

 

[Kerodo]

This should stop the XP stack processing fragmented packets, so they
should be rejected before they get to Tiny/Kerio. It should work for
2k/03 as well, I haven't checked 9.x

Just for fun, I'm trying it here on a Win2k machine. I typically get
several fragmented packets coming in daily, so I'll let you know if this
registry setting stops it.

 

[Gerald Vogt]

It is a very minor "vulnerability." Basically, the only thing that
happens is that you can lose your stealth status, i.e., the person
sending the packets will know that your machine is there. It will

You loose maybe your "stealth" status but people know that you are there
whether you drop packets or not. Stealth is impossible. The only way to
implement stealth would be in the router of your ISP. If you are not
there that router does respond with an error to the sender. If you do
not answer the sender still does that you are there. It's just like a
phone line: not answering a call does not stealth your number. If the
number does not exists the phone company has one of their messages for
you...

not be possible to connect to your system. I find it odd that this

How is that? Suppose you have a vulnerable UDP service running on your
computer. Someone sends you a fragmented UDP packet exploiting this
vulnerablity. The packet fragments go through the PFW just like the ping
and get reassemble by the IP stack and delivered to your UDP service.

Gerald

 

[Kerodo]

Go to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
make a new DWORD Value
EnableFragmentChecking
edit it and change the value to 1
Make sure it's in
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters
and a reboot shouldn't be needed.

This should stop the XP stack processing fragmented packets, so they
should be rejected before they get to Tiny/Kerio. It should work for
2k/03 as well, I haven't checked 9.x
To check it works before making the registry change, send out some
fragmented packets using ping or hping. After the change the packets
will time out as the stack drops them.

Well, tried the above here on a Win2k machine and it doesn't work. Within
a few hours I saw a fragmented packet getting thru again. Oh well. I'm
not going to lose any sleep over it...

 

[Kerodo]

Utter garbage. I tried it here and it slowed my computer down to a crawl.

Now cue at least 3 people who will chime in that "it works fine for me."
If it does, great. But there are many people that it has not worked
"fine" for, something that is easily verifiable by doing a little
Googling. Horror stories abound.

I've been trying out the latest beta's and sometimes things work, sometimes
they don't. They fix a few things and then break a few more in the next
release. It's definitely buggy software. If they ever get it fixed up, I
might consider using it, but until then, there are many other choices
available, many free also.

 

[Colonel Blip]

Hello, EA!
You wrote on Mon, 07 Mar 2005 05:45:22 GMT:

E> Kerodo <[email protected]> typed in
E>
E> It is a very minor "vulnerability." Basically, the only thing that
E> happens is that you can lose your stealth status, i.e., the person
E> sending the packets will know that your machine is there. It will
E> not be possible to connect to your system. I find it odd that this
E> vulnerability gets so much publicity in this forum the moment that
E> there are other, far more serious vulnerabilities that affect many
E> firewalls, old and new...

E> E.

Newbie here - will even this happen if one is behind a home router?
Thanks.

Colonel Blip.
E-mail: (e-mail address removed)

 

[Aaron]

Hello, EA!
You wrote on Mon, 07 Mar 2005 05:45:22 GMT:

E> Kerodo <[email protected]> typed in
E>
E> It is a very minor "vulnerability." Basically, the only thing
that E> happens is that you can lose your stealth status, i.e., the
person E> sending the packets will know that your machine is there.
It will E> not be possible to connect to your system. I find it odd
that this E> vulnerability gets so much publicity in this forum the
moment that E> there are other, far more serious vulnerabilities that
affect many E> firewalls, old and new...

E> E.

Newbie here - will even this happen if one is behind a home router?
Thanks.

No. Your router will get it first. But as Gerald as explained 'stealth'
as opposed to closed doesnt give you much benefits anyway.

 

[EA]

You loose maybe your "stealth" status but people know that you are
there whether you drop packets or not. Stealth is impossible. The
only way to implement stealth would be in the router of your ISP.
If you are not there that router does respond with an error to the
sender. If you do not answer the sender still does that you are
there. It's just like a phone line: not answering a call does not
stealth your number. If the number does not exists the phone
company has one of their messages for you...

Then, you agree with me that being concerned about losing stealth
status is not an issue.

How is that? Suppose you have a vulnerable UDP service running on
your computer. Someone sends you a fragmented UDP packet
exploiting this vulnerablity. The packet fragments go through the
PFW just like the ping and get reassemble by the IP stack and
delivered to your UDP service.

Gerald

Maybe I misunderstand the vulnerability in question. I was under the
impression that the fragmented packets do not "go through" but simply
a response is sent to the sender. Also, I don't see how an incoming
TCP connection would be established. Can you clarify this?

E.

 

[Colonel Blip]

Hello, Aaron!
You wrote on 7 Mar 2005 15:46:26 +0100:

A>
A> No. Your router will get it first. But as Gerald as explained 'stealth'
A> as opposed to closed doesn't give you much benefits anyway.

As it turns out I am using the 4.x version but see no advantages over 2.1.5
and may switch back. Then again, the 4.x hasn't presented an obvious
problem.

Thanks.

Colonel Blip.
E-mail: (e-mail address removed)