Answer
Overview
Vulnerability in Linux glibc system library can be exploited to gain root access to the server and execute a code.
Kerio Connect
Affected systems
All Linux systems supported by Kerio Connect, including Debian, Ubuntu, Red Hat, CentOS (SUSE and openSUSE for Kerio Connect 8.3.x and older).
Solution
Keep your operating system updated and restart the server after installing latest glibc updates.
Debian 7 (& Kerio Connect 8.3.x and higher virtual appliance)
Run sudo apt-get update and sudo apt-get upgrade in terminal to keep your system up-to-date.
To view actual library version run sudo dpkg -s libc6. The correct version is 2.13.38+deb7u7.
Debian 6 (& Kerio Connect 8.2.x and older virtual appliance)
Run sudo apt-get update and sudo apt-get upgrade in terminal to keep your system up-to-date.
To view actual library version run sudo dpkg -s libc6. The correct version is 2.11.3-4+deb6u4.
Red Hat
Update is available via Red Hat Network.
CentOS
Run sudo yum update in terminal. Fixed library versions can be found at https://rhn.redhat.com/errata/RHSA-2015-0092.html. You can get the version of installed library with sudo rpm -q glibc command.
Ubuntu
Run sudo apt-get update and sudo apt-get upgrade in terminal to keep your system up-to-date.
To view actual library version run sudo dpkg -s libc6. Correct library version can be found at https://launchpad.net/ubuntu/+source/eglibc.
Kerio Connect Virtual Appliance update
Before running apt-get update command please make sure that /etc/apt/sources.list file contains updated list of Debian package repositories. The list should contain three repositories: main packages, updates and security updates.
To edit the file use sudo nano /etc/apt/sources.list command.
For Debian 7 (Wheezy) the file should contain:
deb http://ftp.debian.org/debian wheezy main
deb-src http://ftp.debian.org/debian wheezy main
deb http://ftp.debian.org/debian wheezy-updates main
deb-src http://ftp.debian.org/debian wheezy-updates main
deb http://security.debian.org/ wheezy/updates main
deb-src http://security.debian.org/ wheezy/updates main
For Debian 6 (Squeeze) the file should contain:
deb http://ftp.debian.org/debian/ squeeze main contrib
deb-src http://ftp.debian.org/debian/ squeeze main contrib
deb http://security.debian.org/ squeeze/updates main contrib
deb-src http://security.debian.org/ squeeze/updates main contrib
deb http://ftp.debian.org/debian squeeze-lts main contrib
deb-src http://ftp.debian.org/debian squeeze-lts main contrib
Kerio Control
Kerio Control box, software appliance and virtual appliance up to version 8.4.2 contains the vulnerable glibc library. The vulnerability is not remotely exploitable, as Control implements its own DNS resolver. Kerio Control 8.4.3 onward this has been fixed.
Kerio Operator
Kerio Operator box and the software appliance up to version 2.3.4 contains the vulnerable Glibc library. In the standard configuration, the vulnerability could only be exploited from the local area network. Operator administrators are recommended to keep the standard built-in firewall configuration and never expose hardware phones provisioning to the public network (this is our standard recommendation). Kerio Operator 2.3.4 patch 1 onward this has been fixed.
Priyanka Bhotika
Comments