Advisory 2006-07-15.01

Kerio Terminating 'kpf4ss.exe' using internal runtime error Vulnerability

Basic information:

Description:

Kerio uses strange ring3 hooks that communicates the Kerio driver using an interupt. Windows API CreateRemoteThread is hooked by Kerio in user mode in every process. Calling this API can cause a crash of the Kerio service 'kpf4ss.exe'. The cause of this behaviour is unknown. The crash of the Kerio service equals to disabling the protection. The tray icon of Kerio is not functional any more after exploiting the bug, any aplication can perform arbitrary protected action including Internet access and process creation.

Vulnerable software:

• Sunbelt Kerio Personal Firewall 4.3.246

Not vulnerable software:

• Sunbelt Kerio Personal Firewall 4.3.268 and higher
• Sunbelt Kerio Personal Firewall 4.2.3.912
• probably all older versions

Events:

• 2006-07-28: Exploit code available again
• 2006-07-21: Candidate for inclusion in the CVE list
• 2006-07-19: The product vendor released a new version, bug is fixed
• 2006-07-17: Received request from the product vendor to temporarily remove the exploit code
• 2006-07-17: Vulnerability confirmed by popular information sources
• 2006-07-15: Advisory released
• 2006-07-15: Vendor notification

References:

• National Vulnerability Database
• Common Vulnerabilities and Exposures
• SecuriTeam - Windows NT Focus
• Packet Storm Security Advisory
• SecurityFocus Vulnerabilities
• Secunia Advisories
• Sunbelt Kerio Personal Firewall

valid HTML 4.01 · valid CSS 2 · optimized for you · design by martina · powered by jan · generated on August 21, 2008