Re: Huge security hole in Kerio 2.1.5



Richard Jones
07-09-2005, 10:52 PM
Laurent wrote:

>I've just been told that Kerio 2.1.5, which was considered to be the (or one of the) best choice, doesn't "see" (and doesn't intercept...) fragmented packets, and thus wouldn't be efficient toward an attack based on fragmented packets (see below)

<snip>

>Even in this case, "simple" ping doesn't work, but "fragmented" ping does...

What could happen if these 2 scenarios did take place?

Are there documented cases? Not tests, but real cases of damage to a
computer by these attacks?

Thanks,

-rich

Imhotep
07-09-2005, 10:52 PM
Richard Jones wrote:

> Laurent wrote:
>
>>I've just been told that Kerio 2.1.5, which was considered to be the (or
>>one of the) best choice, doesn't "see" (and doesn't intercept...)
>>fragmented packets, and thus wouldn't be efficient toward an attack based
>>on fragmented packets (see below)
>
> <snip>
>
>>Even in this case, "simple" ping doesn't work, but "fragmented" ping
>>does...
>
> What could happen if these 2 scenarios did take place?
>
> Are there documented cases? Not tests, but real cases of damage to a
> computer by these attacks?
>
> Thanks,
>
> -rich

IP packet reassemble is supposed, strictly speaking in terms of the
compliance towards the specification, to be handled at the receiving host
(reassembly). Is this a host based firewall?

Also, you can block all fragmented IP packets if you wish. Most companies do
this now-a-days anyway. IP Fragments are not a big of a deal as they once
were. They were a bigger deal when you had ethernet-to-token ring, etc
networks that had differing MTUs. Now-a-days I can only think of one case
that they still are an issue and that is IPSec VPNs...

-Im

Richard Jones
07-09-2005, 10:52 PM
Imhotep wrote:

>IP Fragments are not a big of a deal as they once
>were. They were a bigger deal when you had ethernet-to-token ring, etc
>networks that had differing MTUs. Now-a-days I can only think of one case
>that they still are an issue and that is IPSec VPNs...


Thanks, Im.

Whew! I'm relieved. I saw this thread and thought, Oh dear, it's 'bash
Kerio time' again. What is it this time? Fragmented packets... Aaagggg -
a frag...

Ho hum... Pretty old stuff to us hardened Kerio users. On the alarm
scale of 1 to 10, might register a 1.

Why? Because in any good home security setup, a firewall is the *least*
important security measure.

First of importance, is an anti-executable program (eg, ProcessGuard;
FreezeX)

Then, an anti-script program (eg. WormGuard; alternative method: disable
WSH)

Finally, a lockdown program (eg, ShadowUser; Deep Freeze)

The firewall being first in line just reduces the nuisance factor.

BTW - for those for whom a router is the be-all and end-all of inbound
security, it's a sad state of affairs for the poor soul who freaked out
when an inbound attempt via port 1026 got by his router, and was blocked
by... you guessed it... Kerio 2.1.5.

Unsolicited UDP gets by NAT?
http://www.dslreports.com/forum/remark,13468899

regards,

-rich


Re: Huge security hole in Kerio 2.1.5