Answer
Overview
October 6, 2014
The reported vulnerability is a local file inclusion vulnerability affecting the webmail feature of the Kerio Connect product. Exploitation of this vulnerability can lead to arbitrary code execution with SYSTEM privileges on the Windows hosting server. The vulnerability can be triggered through the legacy user interface which cannot be disabled. Access to this interface requires a valid standard e-mail account.
Reported by Géraud De Drouas from French Network and Information Security Agency (ANSSI).
Impact
Arbitrary code execution with SYSTEM privileges.
CVSS Base Score: 9
Impact Subscore: 10
Exploitability Subscore :8
Overall CVSS Score: 7
CVSS v2 Vector (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
Vulnerable versions
Kerio MailServer 6.3.0 - 6.7.3
Kerio Connect 7.0.0 - 8.3.2
Technical details
Improper control of filename for include/require statement (CWE-98).