matunga
join:2003-07-26
1 edit |  [Kerio 4.x] port 44334 is OPEN: BIG SECURITY HOLE
Kerio 4.0.7 and 4.0.8 have port 44334 OPEN !!!
The firewall has a big security hole!!! |
|
Zupe
Premium,MVM
join:2001-11-29
New York, NY
clubs:
| Being discussed here as well: »Just when you thought it was safe , but yes, that is a major problem. How something like that could get by testing is a bit alarming, and just another reason I may never be upgrading to version 4 at the rate they're going 
--
Brain: Pinky, are you pondering what I'm pondering?
Pinky: I think so, Brain, but "Snowball for Windows"? |
|
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to matunga
Well, it always configured through a TCP connection, remote or local, and listened on 44334 for connections... in 2.x, remote admin could be disabled, though, and there was password protection available. A firewall can listen for remote (or loopback) administrative connections, no problem, IF that can be properly secured - but one thing that worries me is this version has no password support, does it? Does it support remote admin? If so, this is a huge hole. You can't have a wide open firewall without passwords, sitting with an open admin port waiting for connections. That's not a firewall, if that's the case, that's a toy.
--
Even when you feel like your life is fading
I know that you'll go on forever
You're that good... |
|
Khaine
join:2003-03-03
Australia | reply to matunga
More like a ready-made" 0wned box if you ask me.
I keep on hoping that kerio will fix its firewall and at least make it equally powerful as 2.x, but as each day passes I get closer and closer to abanding any hope I had that they may fix it. |
|
matunga
join:2003-07-26
| reply to gwion
Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY H
This is the official answer by Kerio staff I received by e-mail:
"Hello,
This port is for remote adimistration of KPF. Port is opened when password is seted.
S pozdravem
David Kral
Technical support engineer
" |
|
madirish
Premium
join:2003-08-04
Cleveland, OH
| Hi matunga,The only problem I have with their official answer is-I have the password disabled and PCFlank is still showing that port open.I think a more plausible explanation is here: »forums.kerio.com/index.php?t=msg···f726654b
Hopefully this will be fixed soon. |
|
matunga
join:2003-07-26
| said by madirish  :
Hi matunga,The only problem I have with their official answer is-I have the password disabled and PCFlank is still showing that port open.I think a more plausible explanation is here: »forums.kerio.com/index.php?t=msg···f726654b
Hopefully this will be fixed soon.
yes, it happens to me too. Port 44334 is open. |
|
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to matunga
Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY HOLE
(sigh of relief)... OK. That makes sense, then. It's a screw up... yes, hope that gets fixed... On the technical side, then, it sounds as if the remote admin disables if you don't set a password, which is actually a good idea... typically, there's a check to enable remote admin, and then you have to set a password independently... naturally, having a remote admin enabled and no password is around as humorous a contradiction to "firewalling" as you can get... rather like hanging a key next to the door, after you put a big brass deadbolt on it  ... well... looks like another "release beta"... 
--
Even when you feel like your life is fading
I know that you'll go on forever
You're that good... |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
 ·Verizon FIOS
 ·Verizon Online DSL
| Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY H
Well I was running the restricted version of 4.08, and had no access to these controls, yet my tcp 44334 port was wide open. I had no control over this, and it could have possibly allowed others to connect to my system as no password was set.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. |
|
ghost16825
Use security metrics
Premium
join:2003-08-26
1 edit | reply to matunga
Probably irrelevant but regarding Kerio 2.15:
2.15 opens port 44334 but when the firewall is ENABLED stealths this port.
However, if you DISABLE the firewall, while it's disabled obviously nothing is stealthed hence 2.15 will show 44334 as open.
What this means:
If you disable the firewall (2.15 or 4) temporarily and during this time someone scans port 44334 and sees it's open, they know you are running a Kerio firewall. (Even if the remote admin/password for a localhost option is OFF)
I tested this using the Shields Up site, but the question is how well does this port stealth with other types of scans like FIN, ACK etc.when the firewall is ENABLED?
I don't like the idea of an app leaving an port open (even if it is a firewall) and then having a firewall stealth it. I'd rather have as many ports closed as I can and then use the firewall as an added measure. |
|
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to matunga
Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY HOLE
Kerio uses that port for -all- admins, local admin being accomplished via a loopback... and it isn't an unsound way to do it, just as long as the developer knows what he's doing and properly secures the administrative ports... problem arises where they're left open, and visible, they become a firewall fingerprint... and if they're left open, and unpassworded, they're an advertisement to get owned.
As far as defending against "half-open" scans, Kerio handled the nMap scans I threw at it over my LAN fairly well, some time back, when I tested it... I may have to try doing it again, with 2.1.5 ... I think it might be interesting to do it with 4.x, sometime, but I would rather wait until something resembling a stable build comes out... and as far as I can see, so far, it ain't here, yet.
--
Even when you feel like your life is fading
I know that you'll go on forever
You're that good... |
|
the viper
join:2002-03-29
Nashua, NH
| I did a full port scann 1- 65535 lol while i ate Turkey , and this was the result w/ KPF 4.008 ids on and rule set from Blitzen from 2.1.5...
Port: Status Service Description
1-1970 stealthed n/a n/a
1972-2175 stealthed n/a n/a
2177-44333 stealthed n/a n/a
44335-65535 stealthed n/a n/a
1971 closed n/a n/a
2176 closed n/a n/a
44334 open n/a n/a
Recommendation: |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY H
Ahh.. they made the worthless ids the component blocking the packet... Funny, how they want you to use a horribly coded ids, but your advanced rules are not able to block the packet. That is if it wasn't blocked by some other source.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. |
|
the viper
join:2002-03-29
Nashua, NH | reply to matunga
Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY HOLE
Question Blitz I did everything I could think of to make a rule to block 44334 but couldnt block it it was like my rules didnt exist? Even with block all inbound on and a rule for that port. |
|
ghost16825
Use security metrics
Premium
join:2003-08-26
| reply to the viper
Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY H
said by the viper :
I did a full port scann 1- 65535 lol while i ate Turkey , and this was the result w/ KPF 4.008 ids on and rule set from Blitzen from 2.1.5...
Port: Status Service Description
1-1970 stealthed n/a n/a
1972-2175 stealthed n/a n/a
2177-44333 stealthed n/a n/a
44335-65535 stealthed n/a n/a
1971 closed n/a n/a
2176 closed n/a n/a
44334 open n/a n/a
Recommendation:
I can confirm that this affects 2.15 as well.
That's right 2.15!
I'm starting a new tread for this one.
»[Kerio 2.x] Ports open in all versions of Kerio 2.15! |
|
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
1 edit | reply to matunga
Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY HOLE
I need to clarify what I posted earlier. --- Tiny AND Kerio always listened for connections on that port. That was always part of the entire administrative process. Both local and remote. It's not inherently insecure to use a TCP connection for firewall administration... it's all in implementation... reason I want to clarify that is that, if anyone intends to see if that port is opened (as in by a netstat, from the inside) it absolutely is. If it weren't, you couldn't administrate the firewall - at all, locally or remotely.
I can, however, also verify that a SYN scan against 44334 on v 2.1.5 from outside is stopped by my "any inbound" rule, and logged, and returns the port as stealthed. With the inbound rule disabled, I receive a normal prompt, and after denying it, the port also returns stealthed. Evidently, they were doing it quite correctly, in version 2. Evidently, from what I'm reading, they seem to be doing it quite incorrectly, in 4.x ... this is with enable remote admin disabled. With remote admin enabled, the results are identical... I keep a password set, by the way, regardless of the status of my remote admin settings... one more line of defense...
Result (2.x) as long as you have no rule allowing it in a blanket fashion, and a block inbounds or the sense not to allow a remote connect to a port just because it asks, you're entirely safe with 2.x from a remote admin exploit.
It would seem to me, without testing, that there's a loopback allow implicit rule for the port, but that would also seem necessary and proper, in the sense that if someone absent mindedly blocked all loopbacks, they would succeed in creating a problem administrating their firewall, at all...
--
The willow bends unbroken when angry tempests blow,
The stately oak is levelled and all its strength laid low...
Oliver Wendell Holmes
Even when you feel like your life is fading
I know that you'll go on forever
You're that good... |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY H
said by gwion :
It would seem to me, without testing, that there's a loopback allow implicit rule for the port, but that would also seem necessary and proper, in the sense that if someone absent mindedly blocked all loopbacks, they would succeed in creating a problem administrating their firewall, at all...
If I recall correctly, initially TPF and maybe KPF required Loopback rules for this very reason, but at some point the Loopback for the firewall was Hardwired, for exactly the reasons you explained above.
--
Dog and Butterfly |
|
madirish
Premium
join:2003-08-04
Cleveland, OH
| reply to matunga
From Kerio devs: "Hello all,
first of all, I am sorry being so late. Please know, KPF team is working on this bug. It is in close connection to the remote administration. Since it is withing internal rules, nobody of you can stealth it right now even if you create appropriate rule. The next release will solve this security bug.
Radek Siman (rsimankerio.com)
Developer"
Can't wait for the new build. |
|
the viper
join:2002-03-29
Nashua, NH | Wow ghost really Damnit! |
|
ghost16825
Use security metrics
Premium
join:2003-08-26 | reply to matunga
No, I was completely wrong. 2.15 does stealth these ports. (I was running the firewall in a half-loaded up state - TCP attach errors etc) |
|
