Inadequate cryptography implementation in Kerio Control VPN protocol

Project Description

A vulnerability in the Kerio Control VPN protocol allowed an attacker to modify data transferred through the VPN.


Vendor description

Protect your network from viruses, malware and malicious activity with Kerio Control, the easy-to-administer yet powerful all-in-one security solution.

Kerio Control brings together next-generation firewall capabilities — including a network firewall and router, intrusion detection and prevention (IPS), gateway anti-virus, VPN, and web content and application filtering. These comprehensive capabilities and unmatched deployment flexibility make Kerio Control the ideal choice for small and mid-sized businesses.

Link headquarters to remote users and branch offices securely and easily. Kerio’s own VPN tunneling with dead-simple setup requires minimal configuration, and provides a high performance network connection. Or, use industry-standard IPsec/L2TP for connectivity from mobile devices or third-party firewalls. Enable 2-step verification for an extra layer of security on all forms of remote access.

Source: http://www.kerio.com/products/kerio-control

Business recommendation

During a quick evaluation of the Kerio Control VPN protocol, it was apparent, that the cryptographic protocol employed exhibited severe design issues.

Generally, SEC Consult strongly recommends to prefer well-established standard cryptographic protocols rather than proprietary protocols wherever possible (e.g. DTLS, IPsec). Due to their widespread use, they generally receive much greater attention by experts. Therefore, many design issues with these protocols have already been detected and mitigated since.

We therefore recommend businesses to switch from Kerio’s proprietary VPN protocol to a standard protocol (Kerio Control e.g. supports IPsec).

Note that no full audit of Kerio Control, Kerio VPN or the cryptographic protocol has been conducted. In addition to the vulnerabilities described here, we already identified critical vulnerabilities in Kerio Control in 2016. Hence we suspect there are more major security deficiencies in the product. We therefore recommend GFI software to greatly increase the efforts towards product security in order to keep customers secure.

We want to explicitly thank GFI for the professional handling of the communication during this whole process.

Vulnerability overview/description

After a TLS connection is established between the Kerio VPN client and the Kerio Control appliance and cryptographic keys have been securely transferred over this connection, the data sent through the VPN is transmitted in UDP packets. Each of these packets is encrypted using Blowfish in CTR mode.

As this mode does not provide data authenticity, encrypted data that is modified by an attacker results in predictable modification of the plaintext. More precisely, bits that are flipped in the ciphertext result in the same bits being flipped in the plaintext after decryption.

Each encrypted UDP datagram contains a simple checksum (the same checksum used by IPv4). Assuming an attacker knows the plaintext data of a datagram and is able to modify its ciphertext, it is trivial to change parts of the message, e.g. inject content into the encrypted stream, while keeping the resulting checksum identical.

Proof of concept

SEC Consult provided a proof of concept exploit script to GFI but it has been removed from this advisory in order to give customers more time to upgrade the infrastructure.

Vulnerable / tested versions

The version 9.2.7 build 2921 was found to be vulnerable. This version was the latest at the time of discovery and older versions are affected as well.

Vendor contact timeline

2018-10-17:Creating support case at https://gfisoftware.force.com, asking for security contact.
2018-10-17:GFI support: Asking to upload advisory to support portal.
2018-10-19:Uploading advisory.
2018-10-22GFI support: Escalated to engineers to further investigate.
2018-10-25GFI support acknowledges vulnerability.
2018-11-08GFI support: Beta version with patch available (with AES 128).
2018-11-09Asking for release date of the patch.
2018-11-12GFI support proposes 2018-12-05 as a release date for the advisory.
2018-11-19Confirming 2018-12-05 as release date.
2018-11-27GFI releases patched version 9.2.8
2018-11-30Asking for version number of the release with the fix.
2018-12-03GFI support: version 9.2.8 contains the patch.
2018-12-05Public release of the advisory.

Solution

According to GFI support, both Kerio VPN client and the Kerio Control servers need to be updated to version 9.2.8 to mitigate this issue. Note that Kerio Control still supports the vulnerable protocol for backwards compatibility. According to GFI support, the next version 9.2.9 will drop the support for the old VPN protocol and will only support the new AES-based protocol.

GFI support described a procedure to verify that only patched versions of the client are connected to the Kerio Control VPN:

Quote:

  1. Open Kerio Control administrative console
  2. Click Status from the left sidebar
  3. Click VPN Clients
  4. Here you have displayed the list of VPN Clients. If the version column is not visible, right click on the header, select columns and select Version
  5. Vulnerable clients are version 9.2.7 or earlier.

Information about the current release can be found here:

http://www.kerio.com/support/kerio-control/release-history

Workaround

none

 

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF W. Ettlinger / @2018

 

 

Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult?
Contact our local offices.

Project Details

  • TitleInadequate cryptography implementation
  • ProductKerio Control VPN protocol
  • Vulnerable version<=9.2.7
  • Fixed version9.2.8
  • CVE number-
  • ImpactHigh
  • Homepagehttp://www.kerio.com/products/kerio-control
  • Found2018-10
  • By W. Ettlinger (Office Vienna) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog

Back