Summary
Kerio Control VPN Vulnerability - Inadequate Cryptography Mechanism
Overview
What is the Vulnerability
Kerio Control VPN encrypts the traffic such that it cannot be changed and nobody can access the details. However, the encryption being used has become obsolete and it has been proven that an attacker can replace the content of the VPN traffic with something else potentially malicious. This is due to the weak cryptography, and effects all versions of Kerio Control less than 9.2.8.
How to Identify if vulnerable VPN Clients are connecting to Kerio Control
- Open Kerio Control administrative console
- Click Status from the left sidebar
- Click VPN Clients
- Here you have displayed the list of VPN Clients. If the version column is not visible right-click on the header, select columns and select Version
- Vulnerable clients are version 9.2.7 or earlier.
Creating Automatic Alerts
- Go to Logs (left tab)
- Select Debug log
- Right-click on log text and select Messages
- In the Messages dropdown scroll down to Kerio VPN
- Select VPN clients
- Click on OK
- Now go to Settings (left tab)
- Select Accounting and Monitoring
- Select tab Alert Settings
- Click on Add
- Enter email address to receive the alert
- Click Log Message
- In Name enter: BlowFish VPN Client Connect
- Log select Debug
- Condition type in: .*?Cipher configured. Cipher Type:BLF User:.*
- Tick Use Regular Expression
- Click OK
- Click OK in Edit Alerts dialog
Cause
- This is due to weak cryptography (BlowFish) that has been used since the initial release of Kerio Control VPN.
Resolution
- Upgrade to Kerio Control 9.2.8 which uses more robust encryption.
- Follow the guide below for instructions on how to upgrade Kerio Control and Kerio Control VPN software to version 9.2.8:
Upgrading Kerio Control