Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Kerio MailServer Default Configuration Lets Certain Local Users Modify the Application and the Settings
SecurityTracker Alert ID: 1012524|
SecurityTracker URL: http://securitytracker.com/id/1012524
(Links to External Site)
Date: Dec 15 2004
Execution of arbitrary code via local system, Modification of system information, Modification of user information, Root access via local system|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): prior to 6.0.5|
A vulnerability was reported in the Kerio MailServer. A local user with certain privileges may be able to modify the configuration of the server or the mail server application itself.|
The Secure Computer Group at the University of a Coruna and the dotpi.com Information Technologies Research Labs reported that the application is installed by default in the 'Program Files' directory, which can be accessed by default by local users in the 'Power Users' user group. These local users can modify application binaries (that run as services with Local System privileges), install malicious DLL plug-ins, or modify the configuration.
The vendor was notified on November 8, 2004.
Javier Munoz of Secure Computer Group is credited with discovering this flaw.
A local user in the 'Power Users' user group can modify application binaries, install malicious DLL plug-ins, or modify the configuration files.|
The vendor has issued a fixed version (6.0.5) of the Kerio MailServer, available at:|
Vendor URL: www.kerio.com/ (Links to External Site)
Access control error, Configuration error|
Linux (Red Hat Enterprise), Linux (Red Hat Fedora), Linux (Red Hat Linux), Linux (SuSE), UNIX (OS X), Windows (2000), Windows (2003), Windows (XP)|
Source Message Contents
Date: Tue, 14 Dec 2004 11:08:25 +0100|
Subject: [CAN-2004-1023] Insecure default file system permissions on Microsoft
Secure Computer Group - University of A Coruna
-- x --
dotpi.com Information Technologies Research Labs
Document title: Insecure default file system permissions on
Microsoft versions of Kerio Software
Document revision: 1.0
Coordinated release date: 2004/12/14
Vendor Acknowledge date: 2004/11/10
Reported date: 2004/11/08
CVE Name: CAN-2004-1023
Other references: N/A
Impact: Privilege escalation
System sofware tampering
Second-stage attack vector
Alter configuration files
Recommendation: Update to latest version
Enforce file system ACLs
Vendor: Kerio Technologies Inc.
Affected software: Kerio WinRoute Firewall (all versions)
Kerio ServerFirewall (all versions)
Kerio MailServer (all windows versions)
Updates/Patches: Yes (see below)
1. Executive summary:
As a result of its collaboration relationship the Secure Computer
Group (SCG) along with dotpi.com Research Labs have determined
the following security issue on some Kerio Software.
Kerio WinRoute Firewall, Kerio ServerFirewall and Kerio MailServer
are installed by default under 'Program Files' system folder. No
change is done to the ACLs after the installation process.
As a result, anyone belonging to the 'Power Users' system group
would be able to modify binary files of services running as
LOCALSYSTEM, drop malicious DLLs the plug-ins folder or perform
any change on the XML files where the service settings are
System administrators should enforce ACL security settings in
order solve this problem. It is also highly recommended to
verify this settings as part of the planning, installation,
hardening and auditing processes.
New versions of the software solve this an other minor problems
so it is upgrade its highly recommended.
2. Technical details:
Following the latest trends and approaches to responsible
disclosure, SCG and dotpi.com are going to withhold details of
this flaw for three months.
Full details will be published on 2005/03/14. This three month
window will allow system administrators the time needed to
obtain the patch before the details are released to the general
3. Risk Assessment factors:
The attacker would need local interactive access to the
installation directory. Remote access is also possible but
default system settings do not make this easy.
The most risky scenarios are the ones in which the server machine
is shared among two or more users or those situations where Kerio
service management have been delegated to a third party any other
than local or domain system administrator.
Special care should be taken on such environments and every step
of the project: design, planning, deployment and management
should consider this security issues.
Privilege escalation, system and software tampering and the
ability to alter service configuration are all real issues and
all of them can be used as a second stage attack vector.
4. Solutions and recommendations:
Enforce the file system ACLs and/or upgrade to the latest
o Kerio Winroute Firewall 6.0.9
o Kerio ServerFirewall 1.0.1
o Kerio MailServer 6.0.5
As in any other case, follow, as much as possible, the Industry
'Best Practices' on Planning, Deployment and Operation on this
kind of services.
5. Common Vulnerabilities and Exposures (CVE) project:
The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CAN-2004-1023 to this issue. This is a
candidate for inclusion in the CVE list (http://cve.mitre.org),
which standardizes names for security problems.
1. Special thanks to Vladimir Toncar and Pavel Dobry and the whole
Technical Team from Kerio Technologies (support at kerio.com)
for their quick response and professional handling on this issue.
3. The whole Research Lab at dotpi.com and specially to Carlos Veira
for his leadership and support.
3. Secure Computer Group at University of A Coruna (scg at udc.es),
and specially to Antonino Santos del Riego powering new research
paths at University of a Coruna.
Javier Munoz (Secure Computer Group) is credited with this discovery.
 Kerio Technologies Inc.
 Kerio WinRoute Firewall Downloads & Updates
 Kerio ServerFirewall Downloads & Updates
 Kerio MailServer Downloads & Updates
 Secure Computer Group. University of A Coruna
 Secure Computer Group. Updated advisory
 dotpi.com Information Technologies S.L.
 dotpi.com Research Labs
Copyright (c) 2002-2004 Secure Computer Group. University of A Coruna
Copyright (c) 2004 dotpi.com Information Technologies S.L.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of the authors.
If you wish to reprint the whole or any part of this alert in any
other medium other than electronically, please contact the authors
for explicit written permission at the following e-mail addresses:
(scg at udc.es) and (info at dotpi.com).
Disclaimer: The information in the advisory is believed to be
accurate at the time of publishing based on currently available
information. Use of the information constitutes acceptance for use
in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
Go to the Top of This SecurityTracker Archive Page