Possible Kerio Vulnerability Workaround

[Kerodo]

Then, you agree with me that being concerned about losing stealth
status is not an issue.




Maybe I misunderstand the vulnerability in question. I was under the
impression that the fragmented packets do not "go through" but simply
a response is sent to the sender. Also, I don't see how an incoming
TCP connection would be established. Can you clarify this?

E.

No, the packets actually go thru the firewall. They're not logged or
blocked. If you send a UDP packet thru the firewall to a closed port,
you'll get an ICMP type 3 response also, which may or may not be blocked
outbound by the firewall.

 

[Leythos]

<snip>

Wow. They actually told you not to contact them again? If I were you I would
mail your CD back to them in a box, along with the best the turd you could
manage. Have these people heard of customer service?

Actually, sending medical waste (human) could be considered an offense. I
can't actually say I blame the vendor for refusing to work with a customer
that is running a very old version and demanding they patch it.

 

[Memnoch]

First let me tell you about Kerio. I reported this frag problem to
them on 16/12/04. They said it's several years out of date and is not
sold or supported. I asked them if the exploit concerned them and they
told me not to contact them again. No more replies. _|_

<snip>

Wow. They actually told you not to contact them again? If I were you I would
mail your CD back to them in a box, along with the best the turd you could
manage. Have these people heard of customer service?

 

[Memnoch]

Mostly fear I suspect. I think most people have concluded that nothing
harmful can happen as a result of it. A few frag'd packets may slip thru,
but any response to them will be blocked by Kerio, so what's the problem?
I don't see how any harm can come from it. But maybe I'm missing
something?

How about if two years from now they let everyone know that there was a
serious vulerability found in todays software and they decided to keep quiet
about it because they couldn't fix it?

 

[EA]

No, the packets actually go thru the firewall. They're not logged
or blocked. If you send a UDP packet thru the firewall to a
closed port, you'll get an ICMP type 3 response also, which may or
may not be blocked outbound by the firewall.

But still, that does not explain how an incoming TCP connection would
be established by those packets. Am I missing something?

E.

 

[Hassan I Sahba]

Taking a moment's reflection, Hassan I Sahba mused:
|
| This flaw was public in 1999 and affected many firewalls. Everyone but
| Tiny/Kerio fixed the problem. I've only verified that Tiny/Kerio are
| still vulnerable.

That's not anywhere near being accurate. Kerio *did* fix it in version
4.

Sorry. I meant "I've only verified that Tiny/Kerio 2.x is still
vulnerable."

From their web site: V4.0.7 - November 10, 2003. So v4 didn't come out
4 years after the exploit.

Kerio 2.x has been discontinued for a very long time ... they aren't
going to fix what is no longer being developed. I still use 2.1.4, but I
don't understand why so many people get so up in arms over a security hole
discovered in a piece of software that has been discontinued for years.

People should know if their firewall is vulnerable in some
situations..

HiS

 

[Hassan I Sahba]

It is a very minor "vulnerability." Basically, the only thing that
happens is that you can lose your stealth status, i.e., the person
sending the packets will know that your machine is there. It will
not be possible to connect to your system. I find it odd that this
vulnerability gets so much publicity in this forum the moment that
there are other, far more serious vulnerabilities that affect many
firewalls, old and new...

E.

I'd disagree with just about everything there

HiS

 

[Hassan I Sahba]

Well, tried the above here on a Win2k machine and it doesn't work. Within
a few hours I saw a fragmented packet getting thru again. Oh well. I'm
not going to lose any sleep over it...

I thought it would work for 2k. It came from How To Harden the TCP/IP
Stack at:
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/HTHardTCP.asp>
http://makeashorterlink.com/?Q1BC23F9A

This article is about the 2k stack and discusses many other
interesting registry settings for TCP/IP.

HiS.

 

[Hassan I Sahba]

<snip>

Wow. They actually told you not to contact them again? If I were you I would
mail your CD back to them in a box, along with the best the turd you could
manage. Have these people heard of customer service?

It's a freeware firewall, for which I was grateful at the time.

HiS

 

[Hassan I Sahba]

Actually, sending medical waste (human) could be considered an offense. I
can't actually say I blame the vendor for refusing to work with a customer
that is running a very old version and demanding they patch it.

No demands for patches here. A request was made to announce it.

HiS

 

[Hassan I Sahba]

Kerio 4.x seems to be generally regarded as bloatware and buggy -
certainly when I tried it, it caused major problems.

Agreed. I don't much like kerio 4.x or any other PF I've tried.

HiS

 

[Hassan I Sahba]

I still use Kerio 2.1.5, along with the XP firewall. I think there are
many people here that do. It's the most well behaved firewall that
I've tried... I like it.

Thanks for the fix and for the continued interest Hassan!

You're welcome.

His

 

[Hassan I Sahba]

No. Your router will get it first. But as Gerald as explained 'stealth'
as opposed to closed doesnt give you much benefits anyway.

Agreed.

HiS

 

[Hassan I Sahba]

No, we would never install a program that requires understanding at that
level for them If a client is in need of a personal firewall for their
laptop we install ZAP and keep it updated. If this is for the office it's
a real firewall appliance, and for their homes we use routers with NAT/SPI.

No incentive to try this then.

General users don't know enough to properly setup Tiny/Kerio and we don't
run 2.x on any of them.
Agreed.

What you need to do is get off the horse and update to one of the fixed
versions and stop wasting your time on such an old version.

I have no horse I'm telling people in a couple of groups I read
that their firewall isn't capable of the job it was intended for.

Why do you think companies release new software and not just updates.

Some also make security announcements.

HiS

 

[Gerald Vogt]

People should know if their firewall is vulnerable in some
situations..

People should know how there PFWs are vulnerable in various situations.
It is not really an "if".

Gerald

 

[Kerodo]

I thought it would work for 2k. It came from How To Harden the TCP/IP
Stack at:
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/HTHardTCP.asp>
http://makeashorterlink.com/?Q1BC23F9A

This article is about the 2k stack and discusses many other
interesting registry settings for TCP/IP.

I saw that same article myself.. It should have worked, but it didn't. I
saw the usual outbound ICMP type 3 code 3 that I always see as a result of
an incoming fragmented UDP packet getting thru. Unless my outbound ICMP
type 3 is due to some other cause (which I seriously doubt)..

Nice try though..

When I observed the fragmented packets coming in in other firewalls, I
noticed that packets came in pairs. I'd see two at the exact same instant.
Jetico firewall blocked them as fragments. Sygate shows one as a frag to
port 0 and then the other packet to port 1026. They're always to port 1026
here. I wonder if your registry hack just blocked the initial fragment and
let the other packet thru or something? I don't really understand or know
how it all works...

 

[Kerodo]

<snip>

Wow. They actually told you not to contact them again? If I were you I would
mail your CD back to them in a box, along with the best the turd you could
manage. Have these people heard of customer service?

They are fairly bad at listening to communications, even in their own
forums online. I tested some of their beta versions recently and in the
past, and they don't seem to pay any attention to what users are telling
them. They're pretty bad.

If you want to see the opposite of that, just try Jetico Personal Firewall
and contact them with any questions or problems. They have the best
support for a free product that I've ever seen. Very excellent.. And it's
a better firewall than Kerio 2..

 

[Leythos]

If you want to see the opposite of that, just try Jetico Personal Firewall
and contact them with any questions or problems. They have the best
support for a free product that I've ever seen. Very excellent.. And it's
a better firewall than Kerio 2..

New companies always pay more attention and offer better deals to get you
to switch from a leader to their product. And since Kerio 2 is older, how
the heck can you make any comparison.

 

[mhicaoidh]

Taking a moment's reflection, Kerodo mused:
|
| Mostly fear I suspect. I think most people have concluded that nothing
| harmful can happen as a result of it. A few frag'd packets may slip thru,
| but any response to them will be blocked by Kerio, so what's the problem?
| I don't see how any harm can come from it. But maybe I'm missing
| something?

No, I don't think you are. ;-)

 

[mhicaoidh]

Taking a moment's reflection, Memnoch mused:
|
| How about if two years from now they let everyone know that there was a
| serious vulerability found in todays software and they decided to keep
| quiet about it because they couldn't fix it?

Since your arguing a created scenario ... I'll simply counter with:
What if they don't?