Phone Lines icon GFI Support Home Sign in
Start a conversation
  1. GFI Support
  2. GFI Support - Security & SSL
  3. Articles

OpenSSL vulnerability CVE-2014-0160

Answer

Kerio Connect

This vulnerability affects:

  • Kerio Connect 8.2.0 (32-bit, 64-bit)
  • Kerio Connect 8.2.1 (32-bit, 64-bit)
  • Kerio Connect 8.2.2 (32-bit, 64-bit)
  • Kerio Connect 8.2.3 (32-bit, 64-bit)
  • Kerio Connect 8.3 all beta versions

Kerio Connect 8.2.4 onward this has been fixed. This upgrade is highly recommended for all customers with Kerio Connect 8.2.0 - 8.2.3.

Post installation steps - Security precautions

Due to the nature of the problem all server SSL certificates (including private keys) and user passwords should be considered as compromised. Kerio recommends following actions as security precautions after applying the hotfix or upgrading to Kerio Connect 8.2.4:

  • We recommend revoking your existing server SSL certificate on Kerio Connect server and re-issuing a new one from your Certification Authority. Please note that you must generate a new private key and CSR request file. Visit our KnowledgeBase http://kb.kerio.com/1132for help. Re-using existing private key for renewing the certificate is not secure!
  • We highly recommend changing all passwords. This includes user passwords (account passwords from local database and passwords for users from directory services - Active Directory, Open Directory), POP3 download password (if used), SMTP relay password (if used), HTTP proxy password (if used), administration password etc. It is recommended to use Password Policy for enforcing strong and secure user passwords: http://kb.kerio.com/1440
  • Re-create a new DKIM key for your email domains. See http://kb.kerio.com/1483for more details about creating a new DKIM key for Kerio Connect.
S/MIME certificates and private keys are neither stored nor saved on Kerio Connect 8.2 and remain secure. It is not required to change them.

Hotfix details

Kerio Connect 8.2.4 addresses a vulnerability CVE-2014-0160 found in OpenSSL 1.0.1 library. Kerio Connect 8.2 uses OpenSSL version 1.0.1e, which is vulnerable. This hotfix replaces OpenSSL libraries used in Kerio Connect product with a fixed version.

This hotfix is valid only for following versions:

  • Kerio Connect 8.2.0 (32-bit, 64-bit)
  • Kerio Connect 8.2.1 (32-bit, 64-bit)
  • Kerio Connect 8.2.2 (32-bit, 64-bit)
  • Kerio Connect 8.2.3 (32-bit, 64-bit)

Customers running Kerio Connect 8.1.3 or older version are not affected and do not need to apply this hotfix.

After applying the hotfix, please follow the guide "Security precautions" above to minimize data loss and unauthorized access.

Installation instructions

Windows

  1. Download 32-bit or 64-bit (depending on your current Kerio Connect version) hotfix archive from the list below.
  2. Copy the .zip archive to the existing directory where Kerio Connect is installed (it is by default c:\Program Files\Kerio\MailServer\or c:\Program Files (x86)\Kerio\MailServer\ for 64-bit Windows system).
  3. Stop Kerio Connect service.
  4. Extract the content of the archive with ZIP un-archiver into the current directory. Overwrite existing ktlibeay100x64_1.0.1e.dll and ktssleay100x64_1.0.1e.dll files. Please note that on 64-bit system the name of the libraries in the plugins subdirectory is different (ktlibeay100_1.0.1e.dll and ktssleay100_1.0.1e.dll).
  5. Start Kerio Connect service.
  6. Now the Kerio Connect 8.2 is no longer vulnerable to CVE-2014-0160.

Linux

  1. Download 32-bit or 64-bit hotfix archive for Linux (depending on your current Kerio Connect version).
  2. Open Terminal and login as root: 
    sudo su
  3. Copy the archive to Kerio Connect directory: 
    cp Kerio_Connect_8_2_i386_hotfix_CVE_2014_0160.tgz /opt/kerio/mailserver
    or, 
    cp Kerio_Connect_8_2_amd64_hotfix_CVE_2014_0160.tgz /opt/kerio/mailserver
  4. Stop Kerio Connect service:
    Ubuntu: 
    service kerio-connect stop
    SUSE:  
    systemctl stop kerio-connect.service
    other:  
    /etc/init.d/kerio-connect stop
  5. Extract the content of the archive: 
    cd /opt/kerio/mailserver
tar zxvf Kerio_Connect_8_2_i386_hotfix_CVE_2014_0160.tgz
    or, 
    tar zxvf Kerio_Connect_8_2_amd64_hotfix_CVE_2014_0160.tgz
  6. Start Kerio Connect service:
    Ubuntu: 
    service kerio-connect start
    SUSE:  
    systemctl start kerio-connect.service
    other:  
    /etc/init.d/kerio-connect start
  7. Now you can close the terminal. Kerio Connect 8.2 is no longer vulnerable to CVE-2014-0160.

Kerio Virtual Appliance with Kerio Connect

  1. Make sure that remote SSH access is enabled in your virtual appliance. Guide for enabling remote SSH can be found in Kerio KnowledgeBase article, in "Enabling SSH" chapter.
  2. Download hotfix file for 32-bit Linux on your computer.
  3. Copy the file to the virtual appliance with SCP (Winscp or scp utility): 
    scp Kerio_Connect_8_2_i386_hotfix_CVE_2014_0160.tgz root@yourserver.domain.com:/opt/kerio/mailserver/
    (assuming that yourserver.domain.com is a hostname of your Kerio Connect installation).
  4. Login with SSH to the virtual appliance as user root.
  5. Stop Kerio Connect service: 
    /etc/init.d/kerio-connect stop
  6. Extract the content of the archive: 
    cd /opt/kerio/mailserver
tar zxvf Kerio_Connect_8_2_i386_hotfix_CVE_2014_0160.tgz
  7. Start Kerio Connect service: 
    /etc/init.d/kerio-connect start
  8. Now you can close the SSH session. Kerio Connect 8.2 is no longer vulnerable to CVE-2014-0160.

OS X

  1. Download the hotfix archive for OS X.
  2. Open Terminal and login as root: 
    sudo su
  3. Copy the archive to Kerio Connect directory: 
    cp Downloads/Kerio_Connect_8_2_OS_X_hotfix_CVE_2014_0160.tgz /usr/local/kerio/mailserver
  4. Stop Kerio Connect service: 
    /usr/local/kerio/mailserver/KerioMailServer stop
  5. Extract the content of the archive: 
    cd /usr/local/kerio/mailserver
tar zxvf Kerio_Connect_8_2_OS_X_hotfix_CVE_2014_0160.tgz
  6. Start Kerio Connect service: 
    /usr/local/kerio/mailserver/KerioMailServer start
  7. Now you can close the Terminal application. Kerio Connect 8.2 is no longer vulnerable to CVE-2014-0160.

Downloadable files

File signatures

SHA-1 checksums:

e13d211c25ba7e345437e0887609ee2ec13e816b *Kerio_Connect_8_2_64_bit_hotfix_CVE_2014_0160.zip

1b1ac3684ecde701ffd5bf6ca4f05761e5bff639 *Kerio_Connect_8_2_32_bit_hotfix_CVE_2014_0160.zip

a129b5c690f9b65b1e241a731b78965511df316f *Kerio_Connect_8_2_OS_X_hotfix_CVE_2014_0160.tgz

6bfd0b8a4c4781777f4e4993dcf888ae02776527 *Kerio_Connect_8_2_amd64_hotfix_CVE_2014_0160.tgz

f332aa424d519a35d12d1856e3bb214a0141a039 *Kerio_Connect_8_2_i386_hotfix_CVE_2014_0160.tgz

Kerio Control

This affects Kerio Control from version 8.2.0 till 8.2.2 patch1. Kerio Control 8.2.2 patch2 onward this has been fixed.

Kerio Operator

Affected versions:
  • Operator 2.2.X: Only the built-in web server is influenced (web admin, client GUI, Kerio Operator Softphone auto provisioning). Asterisk's secure SIP and SSH are safe.
  • Operator 2.3.0 Beta 1: web server, secure SIP, and SSH are all influenced.

Operator 2.2.5 onward this has been fixed.

Kerio Workspace

Kerio Workspace is not affected.

References

Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted

Comments