Home » Kerio User Forums » Kerio Control » Security vulnerabilities (Multiple vulnerabilities in Kerio Control )

Messages: 13
Karma: 0
Send a private message to this user
There are numerous vulnerabilities described in detail, including examples of attacks, by SEC Consults:

Vulnerability overview/description:
1 ) Unsafe usage of the PHP unserialize function and outdated PHP version leads
to remote-code-execution
2 ) PHP script allows heap spraying
3 ) CSRF Protection Bypass
4 ) Webserver running with root privileges
5 ) Reflected Cross Site Scripting (XSS)
6 ) Missing memory corruption protections
7 ) Information Disclosure leads to ASLR bypass
8 ) Remote Code Execution as administrator
9 ) Login not protected against brute-force attacks

Details to be found here:
http://blog.sec-consult.com/2016/09/controlling-kerio-contro l-when-your.html
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advi sories_txt/20160922-0_Kerio_Control_Potential_backdoor_acces s_through_multiple_vulnerabilities_v10.txt

What is the status of resolution? Any info available?

[Updated on: Sun, 19 March 2017 11:15]


Messages: 13
Karma: 0
Send a private message to this user
Thanks for quick response.

The referenced response described addressing three issues:
- remote-code-execution in PHP
- CSRF protection bypass
- reflected cross site scripting (XSS)

What is the status of the rest 5 vulnerabilities?
Probably brute-force attacks have been addressed as well (protection against repeated guesses, 2-step verification). What about th e rest, is there a roadmap for fixes?

[Updated on: Sun, 19 March 2017 21:00]

Previous Topic: AWS VPC connection over IPSEC
Next Topic: Bandwith Management did´t work
Goto Forum:

Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Dec 16 12:11:56 CET 2018

Total time taken to generate the page: 0.96859 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.