Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Critical "Shellshock" bug, is Kerio Connect vulnerable?
  •  
freakinvibe

Messages: 1479
Karma: 55
Send a private message to this user
A new critical bug has been discovered today:

http://www.cnet.com/news/bigger-than-heartbleed-bash-bug-cou ld-leave-it-systems-shellshocked/

Can Kerio please let us know if KC is vulnerable?

Thanks,

freakinvibe

Dexion AG - The Blackberry Specialists in Switzerland
http://www.dexionag.ch
  •  
Mark Price (Kerio)

Messages: 134
Karma: 17
Send a private message to this user
Hi there.

As this issue is related to the BASH shell, and affects Apple Mac, Linux and Unix systems at an OS level, any connect systems installed onto those supported platforms will need OS security updates to correct this.

Our Connect Appliance that runs on Debian though does have this issue and development are currently working on this as we speak. Currently, I have no further information but as soon as we hear anything we will update the forums.

I hope this helps.

Mark Price
Kerio technical support.

Log Support Incidents here: http://www.kerio.com/support
Also, please use our KB: http://kb.kerio.com
  •  
freakinvibe

Messages: 1479
Karma: 55
Send a private message to this user
Ok, thanks a lot for the fast feedback.

I have tested our Kerio installation on Windows Server here:

http://shellshocktest.com

and it appears not to be vulnerable (as to be expected), as there is no bash shell on Windows.

Dexion AG - The Blackberry Specialists in Switzerland
http://www.dexionag.ch
  •  
spunga

Messages: 3
Karma: 0
Send a private message to this user
Mark Price (Kerio) wrote on Thu, 25 September 2014 16:28
Hi there.

As this issue is related to the BASH shell, and affects Apple Mac, Linux and Unix systems at an OS level, any connect systems installed onto those supported platforms will need OS security updates to correct this.

Our Connect Appliance that runs on Debian though does have this issue and development are currently working on this as we speak. Currently, I have no further information but as soon as we hear anything we will update the forums.

I hope this helps.

I've read that the vulnerability can be exposed with server-side scripting. Does Kerio Connect's webmail (running OS X 10.6 Server) use server-side scripting?

[Updated on: Thu, 25 September 2014 17:00]

  •  
Pavel Dobry (Kerio)

Messages: 5153
Karma: 243
Send a private message to this user
Kerio Connect is not vulnerable. However, Linux and OS X operating systems are and should be updated. This is very important if the server runs also other potentially vulnerable services beside Kerio Connect.

[Updated on: Thu, 25 September 2014 19:31]


Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
indigospring

Messages: 36
Karma: 0
Send a private message to this user
What about the Kerio-supplied virtual appliance?

Running apt-get upgrade does not show any available updates - you'd expect an update for bash to be available. Is it because the VM is running Debian Squeeze? Is a newer VM appliance available? Is upgrading the VM to a newer distribution supported by Kerio?
  •  
Pavel Dobry (Kerio)

Messages: 5153
Karma: 243
Send a private message to this user
indigospring wrote on Thu, 25 September 2014 23:35
What about the Kerio-supplied virtual appliance?

Running apt-get upgrade does not show any available updates - you'd expect an update for bash to be available. Is it because the VM is running Debian Squeeze? Is a newer VM appliance available? Is upgrading the VM to a newer distribution supported by Kerio?


It is described at http://tinyurl.com/KerioShellShock

Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
Previous Topic: .pdf.zip etc blocking
Next Topic: User's Mailbox disk space usage
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Jan 20 23:02:18 CET 2017

Total time taken to generate the page: 0.23004 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.