Overview
This vulnerability is a flaw in protocol design. An attacker that controls the network between the client and the server can interfere with any attempted handshake offering TLS 1.0 or later and force both client and server to use SSL 3.0 protocol instead. After that he can use other attack techniques to decipher transmitted data. For example, BEAST attack.
Kerio Connect - patched with 8.3.4 (Oct 23, 2014)
Affected versions
- Kerio MailServer 5 - 6.7.3
- Kerio Connect 7.0.0 - 8.3.3
Impact
An attacker can obtain a HTTP session cookie for Kerio Connect client or web administration session by intercepting network communication and decrypting SSL 3.0. It allows an attacker to get full access to user's mailbox or product configuration.
Patch
A patched version with TLS_FALLBACK_SCSV support in OpenSSL is available in Kerio Connect 8.3.4 (Oct 23, 2014). You can download the update from the Kerio Connect download page.
Kerio recommends to disable SSL 3.0 support if there is no requirement for compatibility with old internet browsers or email clients.
Disabling SSL 3.0 in Kerio Connect
Update to version 8.3.3 (released Oct 16) and higher.
- Stop Kerio Connect server.
- Edit the mailserver.cfg file and change "DisableSSLv3" configuration value to "1".
- Start Kerio Connect server.
Kerio Control - will be patched (workaround available)
Affected version
Kerio Control up to version 8.4.0.
Impact
An attacker can obtain a HTTP session cookie for Kerio Control client or web administration session by intercepting network communication and decrypting SSL 3.0. It allows an attacker to get full access to user's statistics or product configuration.
Workaround for Kerio Control
Change configuration value "ForceTLSv1_1" to "1" and restart the server.
For all appliance editions, this requires SSH access. To enable SSH access, hold the shift key while clicking the System Health dialog. A new button will appear in the bottom left to enable SSH access. The login is root, and the password is the same as the admin account used to access the web administration.
Type the following commands in console or SSH:
~ # /opt/kerio/winroute/tinydbclient "update ssl set forcetlsv1_1=1" ~ # /etc/boxinit.d/60winroute restart
Patch
A patched version with TLS_FALLBACK_SCSV support in OpenSSL is available in Kerio Control 8.4.1 (October 24, 2014). You can download the update from the Kerio Control download page.
Kerio Operator - Update available
Affected versions
Kerio Operator up to version 2.3.3.
Impact
An attacker can obtain a HTTP session cookie for Kerio Operator client or web administration session by intercepting network communication and decrypting SSL 3.0. This allows an attacker to get access to the product configuration or to an individual user's configuration and voice mail.
Workaround
There is no work-around for this vulnerability. Kerio recommends updating to the current release version, which includes a patch.
Patch
A patched version with TLS_FALLBACK_SCSV support in OpenSSL is available in Kerio Operator 2.3.3 patch 1 (October 22, 2014). You can download the update from the Kerio Operator download page.