Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY HOLE in Kerio

Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY HOLE in Kerio - Tiny Support http://www.dslreports.com/forum/r8599841 en Wed, 25 Nov 2009 10:40:50 EDT Wed, 25 Nov 2009 10:40:50 EDT Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY H http://www.dslreports.com/forum/remark,8643613 the viper : Phew ok cool , I definately dont want a firewall that wont close a port when I ask it to.]]> http://www.dslreports.com/forum/remark,8643613 Sun, 30 Nov 2003 00:46:59 EDT Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY H http://www.dslreports.com/forum/remark,8642100 ghost16825 : No, I was completely wrong. 2.15 does stealth these ports. (I was running the firewall in a half-loaded up state - TCP attach errors etc)]]> http://www.dslreports.com/forum/remark,8642100 Sat, 29 Nov 2003 21:51:31 EDT Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY H http://www.dslreports.com/forum/remark,8631884 the viper : Wow ghost really Damnit!]]> http://www.dslreports.com/forum/remark,8631884 Fri, 28 Nov 2003 17:16:07 EDT Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY H http://www.dslreports.com/forum/remark,8629027 madirish : From Kerio devs: "Hello all,

first of all, I am sorry being so late. Please know, KPF team is working on this bug. It is in close connection to the remote administration. Since it is withing internal rules, nobody of you can stealth it right now even if you create appropriate rule. The next release will solve this security bug.

Radek Siman (rsimankerio.com)
Developer"

Can't wait for the new build.]]> http://www.dslreports.com/forum/remark,8629027 Fri, 28 Nov 2003 11:03:03 EDT Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY H http://www.dslreports.com/forum/remark,8628209 TheWiseGuy :

said by gwion :

It would seem to me, without testing, that there's a loopback allow implicit rule for the port, but that would also seem necessary and proper, in the sense that if someone absent mindedly blocked all loopbacks, they would succeed in creating a problem administrating their firewall, at all...

If I recall correctly, initially TPF and maybe KPF required Loopback rules for this very reason, but at some point the Loopback for the firewall was Hardwired, for exactly the reasons you explained above. :-)
--
Dog and Butterfly]]> http://www.dslreports.com/forum/remark,8628209 Fri, 28 Nov 2003 08:31:07 EDT Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY HOLE http://www.dslreports.com/forum/remark,8627629 gwion : I need to clarify what I posted earlier. :) --- Tiny AND Kerio always listened for connections on that port. That was always part of the entire administrative process. Both local and remote. It's not inherently insecure to use a TCP connection for firewall administration... it's all in implementation... reason I want to clarify that is that, if anyone intends to see if that port is opened (as in by a netstat, from the inside) it absolutely is. If it weren't, you couldn't administrate the firewall - at all, locally or remotely.

I can, however, also verify that a SYN scan against 44334 on v 2.1.5 from outside is stopped by my "any inbound" rule, and logged, and returns the port as stealthed. With the inbound rule disabled, I receive a normal prompt, and after denying it, the port also returns stealthed. Evidently, they were doing it quite correctly, in version 2. Evidently, from what I'm reading, they seem to be doing it quite incorrectly, in 4.x ... this is with enable remote admin disabled. With remote admin enabled, the results are identical... I keep a password set, by the way, regardless of the status of my remote admin settings... one more line of defense... :)

Result (2.x) as long as you have no rule allowing it in a blanket fashion, and a block inbounds or the sense not to allow a remote connect to a port just because it asks, you're entirely safe with 2.x from a remote admin exploit.

It would seem to me, without testing, that there's a loopback allow implicit rule for the port, but that would also seem necessary and proper, in the sense that if someone absent mindedly blocked all loopbacks, they would succeed in creating a problem administrating their firewall, at all...
--
The willow bends unbroken when angry tempests blow,
The stately oak is levelled and all its strength laid low...
Oliver Wendell Holmes

Even when you feel like your life is fading

I know that you'll go on forever

You're that good...]]> http://www.dslreports.com/forum/remark,8627629 Fri, 28 Nov 2003 03:39:51 EDT Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY H http://www.dslreports.com/forum/remark,8627527 ghost16825 :

said by the viper :
I did a full port scann 1- 65535 lol while i ate Turkey , and this was the result w/ KPF 4.008 ids on and rule set from Blitzen from 2.1.5...

Port: Status Service Description
1-1970 stealthed n/a n/a
1972-2175 stealthed n/a n/a
2177-44333 stealthed n/a n/a
44335-65535 stealthed n/a n/a
1971 closed n/a n/a
2176 closed n/a n/a
44334 open n/a n/a

Recommendation:

I can confirm that this affects 2.15 as well.
That's right 2.15!
I'm starting a new tread for this one.
»[Kerio 2.x] Ports open in all versions of Kerio 2.15!]]> http://www.dslreports.com/forum/remark,8627527 Fri, 28 Nov 2003 02:52:53 EDT Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY HOLE http://www.dslreports.com/forum/remark,8624788 the viper : Question Blitz I did everything I could think of to make a rule to block 44334 but couldnt block it it was like my rules didnt exist? Even with block all inbound on and a rule for that port.]]> http://www.dslreports.com/forum/remark,8624788 Thu, 27 Nov 2003 19:30:53 EDT Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY H http://www.dslreports.com/forum/remark,8624744 BlitzenZeus : Ahh.. they made the worthless ids the component blocking the packet... Funny, how they want you to use a horribly coded ids, but your advanced rules are not able to block the packet. That is if it wasn't blocked by some other source.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.]]> http://www.dslreports.com/forum/remark,8624744 Thu, 27 Nov 2003 19:22:03 EDT Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY HOLE http://www.dslreports.com/forum/remark,8624631 the viper : I did a full port scann 1- 65535 lol while i ate Turkey , and this was the result w/ KPF 4.008 ids on and rule set from Blitzen from 2.1.5...

Port: Status Service Description
1-1970 stealthed n/a n/a
1972-2175 stealthed n/a n/a
2177-44333 stealthed n/a n/a
44335-65535 stealthed n/a n/a
1971 closed n/a n/a
2176 closed n/a n/a
44334 open n/a n/a

Recommendation:]]> http://www.dslreports.com/forum/remark,8624631 Thu, 27 Nov 2003 19:04:33 EDT Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY HOLE http://www.dslreports.com/forum/remark,8599841 gwion : Kerio uses that port for -all- admins, local admin being accomplished via a loopback... and it isn't an unsound way to do it, just as long as the developer knows what he's doing and properly secures the administrative ports... problem arises where they're left open, and visible, they become a firewall fingerprint... and if they're left open, and unpassworded, they're an advertisement to get owned.

As far as defending against "half-open" scans, Kerio handled the nMap scans I threw at it over my LAN fairly well, some time back, when I tested it... I may have to try doing it again, with 2.1.5 ... I think it might be interesting to do it with 4.x, sometime, but I would rather wait until something resembling a stable build comes out... and as far as I can see, so far, it ain't here, yet.
--
Even when you feel like your life is fading
I know that you'll go on forever
You're that good...]]> http://www.dslreports.com/forum/remark,8599841 Tue, 25 Nov 2003 02:53:12 EDT Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY H http://www.dslreports.com/forum/remark,8599477 ghost16825 : Probably irrelevant but regarding Kerio 2.15:

2.15 opens port 44334 but when the firewall is ENABLED stealths this port.
However, if you DISABLE the firewall, while it's disabled obviously nothing is stealthed hence 2.15 will show 44334 as open.
What this means:
If you disable the firewall (2.15 or 4) temporarily and during this time someone scans port 44334 and sees it's open, they know you are running a Kerio firewall. (Even if the remote admin/password for a localhost option is OFF)

I tested this using the Shields Up site, but the question is how well does this port stealth with other types of scans like FIN, ACK etc.when the firewall is ENABLED?

I don't like the idea of an app leaving an port open (even if it is a firewall) and then having a firewall stealth it. I'd rather have as many ports closed as I can and then use the firewall as an added measure.

]]> http://www.dslreports.com/forum/remark,8599477 Tue, 25 Nov 2003 01:21:32 EDT Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY H http://www.dslreports.com/forum/remark,8593518 BlitzenZeus : Well I was running the restricted version of 4.08, and had no access to these controls, yet my tcp 44334 port was wide open. I had no control over this, and it could have possibly allowed others to connect to my system as no password was set.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.]]> http://www.dslreports.com/forum/remark,8593518 Mon, 24 Nov 2003 15:05:54 EDT Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY HOLE http://www.dslreports.com/forum/remark,8593430 gwion : (sigh of relief)... OK. That makes sense, then. It's a screw up... yes, hope that gets fixed... On the technical side, then, it sounds as if the remote admin disables if you don't set a password, which is actually a good idea... typically, there's a check to enable remote admin, and then you have to set a password independently... naturally, having a remote admin enabled and no password is around as humorous a contradiction to "firewalling" as you can get... rather like hanging a key next to the door, after you put a big brass deadbolt on it :) ... well... looks like another "release beta"... ;)
--
Even when you feel like your life is fading
I know that you'll go on forever
You're that good...]]> http://www.dslreports.com/forum/remark,8593430 Mon, 24 Nov 2003 14:56:54 EDT Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY H http://www.dslreports.com/forum/remark,8591889 matunga :

said by madirish :
Hi matunga,The only problem I have with their official answer is-I have the password disabled and PCFlank is still showing that port open.I think a more plausible explanation is here: »forums.kerio.com/index.php?t=msg···f726654b
Hopefully this will be fixed soon.

yes, it happens to me too. Port 44334 is open.]]> http://www.dslreports.com/forum/remark,8591889 Mon, 24 Nov 2003 12:03:20 EDT Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY H http://www.dslreports.com/forum/remark,8591316 madirish : Hi matunga,The only problem I have with their official answer is-I have the password disabled and PCFlank is still showing that port open.I think a more plausible explanation is here: »forums.kerio.com/index.php?t=msg···f726654b

Hopefully this will be fixed soon. ]]> http://www.dslreports.com/forum/remark,8591316 Mon, 24 Nov 2003 10:52:26 EDT Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY H http://www.dslreports.com/forum/remark,8590843 matunga : This is the official answer by Kerio staff I received by e-mail:

"Hello,

This port is for remote adimistration of KPF. Port is opened when password is seted.

S pozdravem

David Kral
Technical support engineer
"]]> http://www.dslreports.com/forum/remark,8590843 Mon, 24 Nov 2003 09:45:18 EDT Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY HOLE http://www.dslreports.com/forum/remark,8589301 Khaine : More like a ready-made" 0wned box if you ask me.

I keep on hoping that kerio will fix its firewall and at least make it equally powerful as 2.x, but as each day passes I get closer and closer to abanding any hope I had that they may fix it.]]> http://www.dslreports.com/forum/remark,8589301 Mon, 24 Nov 2003 01:02:51 EDT Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY HOLE http://www.dslreports.com/forum/remark,8588806 gwion : Well, it always configured through a TCP connection, remote or local, and listened on 44334 for connections... in 2.x, remote admin could be disabled, though, and there was password protection available. A firewall can listen for remote (or loopback) administrative connections, no problem, IF that can be properly secured - but one thing that worries me is this version has no password support, does it? Does it support remote admin? If so, this is a huge hole. You can't have a wide open firewall without passwords, sitting with an open admin port waiting for connections. That's not a firewall, if that's the case, that's a toy.
--
Even when you feel like your life is fading
I know that you'll go on forever
You're that good...]]> http://www.dslreports.com/forum/remark,8588806 Sun, 23 Nov 2003 23:44:26 EDT Re: [Kerio 4.x] port 44334 is OPEN: BIG SECURITY HOLE http://www.dslreports.com/forum/remark,8583795 Zupe : Being discussed here as well: »Just when you thought it was safe , but yes, that is a major problem. How something like that could get by testing is a bit alarming, and just another reason I may never be upgrading to version 4 at the rate they're going :[
--
Brain: Pinky, are you pondering what I'm pondering?
Pinky: I think so, Brain, but "Snowball for Windows"?]]> http://www.dslreports.com/forum/remark,8583795 Sun, 23 Nov 2003 13:48:35 EDT [Kerio 4.x] port 44334 is OPEN: BIG SECURITY HOLE http://www.dslreports.com/forum/remark,8582207 matunga : Kerio 4.0.7 and 4.0.8 have port 44334 OPEN !!!
The firewall has a big security hole!!!

]]> http://www.dslreports.com/forum/remark,8582207 Sun, 23 Nov 2003 09:48:43 EDT