Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

5740:0 Kerio Personal Firewall Remote Authentication Buffer Overflow

Triggers on certain ftp data traffic. Unfortunatly I cannot supply pcap data (customer network).

Perhaps you can tune the regexp to be slightly more intelligent (check for a real Kerio Personal Firewall?).

Thanks.

3 REPLIES
New Member

Re: 5740:0 Kerio Personal Firewall Remote Authentication Buffer

Mattias,

This signature detects a very specific data structure and offset on a high order port(44334) that is normally unique to the Kerio PFW administration application.

Port 44334 is used for Tiny Personal Firewall or Kerio Personal Firewall administration.

Of course, some FTP clients and PASV FTP can allow random port assignments for the data stream, so this signature could certainly fire in this case if there were a match.

Also, technically any application that could allow custom use of port 44334 might have the potential to randomly fire this signature.

But I would think it would be a very uncommon coincidence of properly formatted/offset data and the port.

We'll look into this though, and in the meantime if there is any way you could provide a pcap, that would help quite a bit.

I understand that is unlikely, however at this point all of our testing was unable to reproduce a FP so any suspect sample you might provide could be very helpful.

We'll also update the documentation of this signature to indicate that some benign triggers may exist. The key differentiator would be that if the client is not running Kerio PFW or Tiny PFW, this is a benign trigger.

Thank you for bringing this to our attention.

Al

IPS Signature Development Team

New Member

Re: 5740:0 Kerio Personal Firewall Remote Authentication Buffer

Thanks for your answer.

Very large amounts of data are transferred through this network with passive ftp. It seems that this data sometimes matches the "very specific data structure and offset".

Since it triggers avg. 8 times per day at this sensor I figured there might be something you could do about it.

I havn't looked into this vulnerability but is it really necessary to check every packet in this tcp stream? Checking the first(s) packet(s) would probably reduce the FP drasticly.

New Member

Re: 5740:0 Kerio Personal Firewall Remote Authentication Buffer

Actually, since we have this tied to Exact Match Offset, this is the offset within the stream, not just a single packet. So this is actually the most exact location within the stream that we can provide.

One thing you didn't mention was the version your customer was running. Are they running 4.x or 5.x?

If they are running 5.x we can provide a custom META signature that you could configure for them that would reduce the FP. The risk is that the new custom META will miss most variants of the Kerio vulnerability as demonstrated by some test suites available as they do not mimic or require the full authentication exchange for the Kerio PFW. So I don't think this is a very valuable solution.

In my opinion, since this is an older vulnerability, if your customer does not normally run KPW on their clients, it may make sense to disable this signature for their network.

In the meantime I'll look into this further to see if we can increase the fidelity, but from my research this is the best solution for catching most varieties of exploitations of this vulnerability, especially if they mutate.

Al

141
Views
0
Helpful
3
Replies