Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » STARTTLS plaintext command injection vulnerability
  •  
pal

Messages: 57
Karma: 2
Send a private message to this user
Didn't find any information on the last update changelog about this vulnerability. Is this fixed?

Vulnerability Note VU#555316
http://www.kb.cert.org/vuls/id/MAPG-8D9M4P
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
The status remains as described. It is solved in Kerio Connect 7.2.0. Anyway, the impact of this is low and disputable. If there is someone who can intercept the communication in man-in-the-middle attack then there is no problem to block STARTTLS at all.
  •  
stk_jj

Messages: 47
Karma: 0
Send a private message to this user
Kerio_pdobry wrote on Tue, 08 March 2011 16:18
If there is someone who can intercept the communication in man-in-the-middle attack then there is no problem to block STARTTLS at all.

what does that mean? How should I change my configuration of Kerio Connect (7.1.4) to avoid problems?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
It's more a design problem of SMTP protocol, which is not immune to MITM attacks by design. Reported "vulnerability" has very low severity due to attacking vector - the attacker must listen to all your communication with the server. And in such case, he can do everything - this issue is just an extreme example.
Even most antivirus gateways or firewalls block STARTTLS in order to do scanning of the email data and attachments.

The only protection is to use SMTPS (SSL secured connection) in the client and force the client to verify server SSL certificate. Most of email clients don't do or even can't do this.
Or use WebMail clients.

[Updated on: Tue, 08 March 2011 16:53]

Previous Topic: Kerio Connect Administration API - Beta
Next Topic: Migrate away from Kerio
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Nov 19 00:40:21 CET 2017

Total time taken to generate the page: 0.00448 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.