Software Update: Kerio Personal Firewall 2.1.5

Kerio has released an update for its Personal Firewall that fixes two security bugs in their remote administration system. This program is a nice firewall and is also free for home use. The changelog looks like this:

• fixed security bug (http://www.net-security.org/vuln.php?id=2649†

*Vulnerability Description*
Kerio Personal Firewall (KPF) is a firewall for workstations designed to protect them against attacks from the Internet and the local network. We found two security vulnerabilities in KPF’s remote administration system:

[BID 7179]
A replay attack is possible against the authenticated/encrypted channel for remote administration. A design problem in the authentication mechanism for remote administration allows an attacker to replay captured packets from a valid remote administration session in order to reproduce the administrator’s directives to the personal firewall.

For example if the attacker is able to sniff a valid session in which the administrator disabled the firewall capabilities, then the attacker will gain the ability to disable the personal firewall at will at any time in the future.

[BID 7180]
A remotely exploitable buffer overflow exists in the administrator authentication process.

*Vulnerable Packages*
Kerio Personal Firewall version 2.1.4 and previous versions.[break]For more information about the security bug, click here†