Overview

While reviewing the PenTest PCI compliance report for the Kerio Control appliance, some major security vulnerabilities are being identified. Your firewall's public IP address is a scan target in this case.

The report might be throwing failures for Linux kernel issues together with SSL/TLS non-optimal configuration.

This article explains how to analyze and overcome such vulnerability reports.

Information

Vulnerability reports usually display the score of each potential threat and each item is sorted based on the highest-to-lowest number. Kerio Control is based on the Linux kernel (current kernel is 3.16), such OS vulnerabilities are considered as core/major parts of the product. That's why they will appear as the first items on the list.

It might happen the report is showing the false-positive detection as in the example below - Kerio Control is fully patched and protected against Kernel 2.6 vulnerabilities.

The second-most-common vulnerability is TLSv1.0 protocol enabled in Kerio Control configuration.

TLSv1.0 can be disabled using the SSH console (DisabledProtocols variable).

For more information, please refer to Modifying Configuration Parameters in Kerio Control.

Another common vulnerability reported is related to SSL certificates. It's recommended to obtain CA SSL certificate for passing the PCI compliance test.

In terms of overcoming SSL/TLS ciphers vulnerabilities, it is possible to modify the CipherList variable inside winroute.cfg file. The process is identical to resolving TLS Server Vulnerability SWEET32 (CVE 2016-2183).

Important: there is a known vulnerability for Blowfish cipher. For more information, please refer to Changes in Kerio Control VPN 9.2.8 and above. As a best-practice, make sure to upgrade your Kerio Control to the latest version before running any security checks.