Best solution for Kerio 2.1.5 weaknesses (fragmented packets, bsod, ...)

PLEASE READ THE WARNING AT THE END OF THIS POST BEFORE YOU DECIDE TO COMBINE FIREWALL SOFTWARE (CHX + KERIO 2.1.5 IS NOT A RECOMMENDED COMBINATION!)

I tested the following workaround on Windows 2000 sp4 using PING and it works fine. Both outbound pings initiated locally and inbound pings initiated from a remote Linux box using normal and oversized packets.

As everyone knows, Kerio 2.1.5 is wonderful except for a couple flaws.

The first flaw, fragmented packets, can be easily resolved by running Harden-It 1.2 (free) and accepting the default settings during the install. When I try to ping using oversized packets with Kerio's "Stop all traffic", the pings timeout instead of working (as it did before this workaround). And when Kerio's "Enable Traffic" is selected again, the pings (including oversized ones) work fine again. I didn't notice any new processes in TaskMgr after installing Harden-It, didn't have time to see if all it does is tweak registry or install any drivers.

The second flaw, incompatibility with other drivers causing BSOD, can be avoided if we gather and share a list of incompatible software along with workarounds. I'll begin by contributing the first item, and I hope a registered user will take this and run with it:

Raxco Perfectdisk 7 build 42 (latest). They recommend upgrading Kerio:
http://www.raxco.com/support/windows/kb_details.cfm?kbid=506
NOTE: I heard that PerfectDisk 7 build 34 works with Kerio 2.1.5

In summary, Kerio 2.1.5 works great with Harden-It 1.2 (free) to provide a very low-resource firewall solution that does not suffer from Kerio's infamous fragmented packets bug.

However, there appears to be some BSOD-causing incompatibility between Kerio 2.1.5 and some other drivers so we should maintain a list of such incompatibilities.
See http://www.dslreports.com/forum/remark,12530877

One last item, since Kerio 2.1.5 is so popular, it would be fantastic if we can have a Kerio 2.1.5 + Harden-It 1.2 combination be tested using the same critiera at http://www.firewallleaktester.com/tests.htm

Perhaps a kind soul on this forum could volunteer to perform the same leak tests and post results? Please?

WARNING: Some people might be tempted to use Kerio 2.1.5 with another program such as CHX. I heard that combination has bugs and should be avoided. However, the CHX + Look'n'Stop combination is reported to work fine--but Look'n'Stop is not free like Kerio 2.1.5. BEWARE of combining overlapping software because things might appear to work on the surface but you might be introducing huge security holes.

 

Wrong. I have tried this approach and tested it here. Kerio still allows inbound fragmented UDP thru to port 1026 (in my case), which is then processed by the OS and generates a resulting outbound ICMP type 3. I can't say exactly what's happening with the fragments. It appears that Kerio allows a first fragment thru and then also the packet following that one, thinking that it belongs to the first packet. But the end result is that the OS generates an outbound ICMP type 3, which indicates that it is indeed processing packets that are getting thru.

I have also tried changing registry settings to disable fragmented packet processing by the OS, with the same negative results.

There is no solution to the Kerio 2 fragmented packet issue other than running a router or something like CHX behind Kerio to catch what Kerio allows thru.

 

Is this the key you tried?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpFilterDriver

-rich

 

No, that doesn't look familiar. To be honest, I don't remember which key it was. It was 9 months or so ago, and I have forgotten it. But you can find it I'm sure if you Google for it. I originally found it from a post by someone in a newsgroup.

I suppose we could argue this frag packet thing forever. Some will claim you can fix or patch it, and I disagree. No matter how much we want Kerio 2 to be ok, it isn't. And I think if and when you put it into a real world situation where there is fragmented incoming UDP or TCP, you will see that it does not handle it properly and allows it thru. There is nothing to be done about it.

 

Kerodo, thanks for the feedback.

On Windows 2000 sp4:

I cannot "ping -l 2000 192.168.x.x" both to & from the PC protected by Kerio 2.1.5 and Harden-It 1.2 when Kerio's "Stop all traffic" is enabled.

On the other hand, if I use Kerio 2.1.5 by itself, the pings bypass Kerio's "Stop all traffic".

I see this as a big improvement because "Stop all traffic" should mean exactly what it says. However, if you are able to get packets to reach applications/services running on a pc with Kerio 2.1.5 and Harden-It 1.2 with "Stop all traffic" enabled, I'd love to be able to confirm it.

Can you provide step-by-step instructions on how you performed your test so I can confirm that this setup is allowing fragmented packets?

Thanks again for the feedback.

 

I can't give you any step by step instructions because I was not performing tests but simply running Kerio 2 in a normal real world situation here. At one time, before I had a router, I was running Kerio 2 and began to see outbound icmp type 3 to a few addresses other than my dns servers. At first I had no idea why, but later, after running several other firewalls and observing the logs in each, I discovered that I was getting what appeared to be random messenger spam udp packets (fragmented) in to port 1026, perhaps 6 or 7 of them a day, on a very regular basis. Sygate showed them as a pair of packets, the first one fragmented (Sygate called it a "non-first fragment"), immediately followed by a 2nd packet to port 1026. Other firewalls also reported the fragments, LnS for one, and Jetico was another. I watched them for months here. Anyway, these packet pairs were getting thru Kerio and the one to port 1026 was hitting the OS and generating an icmp type 3 outbound as a result.

Later, just to verify what I was seeing, I also ran Kerio 2 with CHX in the background. Nothing appeared in the CHX logs except those packets to port 1026, which meant that they were getting in past Kerio and hitting the CHX logs. Those were the only packets. Everything else was (rightfully) stopped by Kerio.

I mentioned all this in a few forums and received mixed responses, some believing it and others skeptical. Finally one person in the comp.security.firewalls newsgroups actually did quite a bit of testing, firing various packets (tcp, icmp etc) at Kerio from a Linux machine to see what happened, and he more or less confirmed that Kerio was passing fragmented packets. I think you can probably find those threads if you Google or search dslreports.com or some other forums also.

Anyway, that is pretty much it. Just running under normal conditions and seeing what I saw. At one point in time, the fragmented packets stopped hitting my IP for some reason, this after over a year of seeing them. They typically came from just a few addresses. I assume they were messenger spam since udp port 1026 is a common messenger spam target. They are gone now, so I could not test it again if I wanted to without doing some technical testing which is beyond my means right now.

Sorry I can't help with something more scientific, but I do know what I saw, and after observing various firewalls and CHX, I am convinced of what I saw. Perhaps someone can or will do some more scientific testing again to demonstrate it more concretely..

 

Kerodo, just curious why you allow outbound type 3 to other than your DNS servers?

-rich
________________
~~Be ALERT!!! ~~

 

I wasn't allowing it, just logging it. That's the whole point. If I hadn't been logging it, I'd have never noticed it in the first place, which pointed to some kind of problem.

 

RWA - Here is a link to discussion on the subject at dslreports.com quite some time ago, wherein the person I mentioned above did the tests and found that Kerio 2 passed fragmented packets. I believe this is the most detailed testing on it that has been done to date:

http://www.broadbandreports.com/forum/remark,11787449?hilite=vulnerability

 

I tried Kerio 2.1.5 using the aformentioned ping test to www.freebsd.org using packet size 5000 bytes and it went through no problem in "stop all traffic" mode, even with a default Harden-It install. This was on XPSP2. (I don't normally use Kerio anymore much, just for testing sometimes. I have a Drive Image I can restore to that has Kerio installed on XPSP2. After the test, I restored my regular image, which uses CHX-I on XPSP2)

 

http://members.shaw.ca/BIND-PE_and_ICS/

Go through this site, like me, they use Kerio 2.15 with CHX for total stealth, the default ICS mode in KPF 2x yields blocked and not stealthed mode, so CHX comes in and provides total stealth, works nicely for them as it did for me, no problems at all.

 

Your prior ping replies are being reported by the new "ping -l 5000" command after you do "Stop all traffic". If you issue this ping command around 7 (seven) times after doing the "Stop all traffic", it will eat up all the old responses and will forever report ping timeouts until you "Enable traffic".

I suspect this temporary side-effect probably fooled quite a few people that tried similar workarounds in the past.

STEP-BY-STEP INSTRUCTIONS TO CONFIRM THAT KERIO 2.1.5 + REGISTRY TWEAKS WILL BLOCK PINGS INVOLVING FRAGMENTED PACKETS:

This is what I did on Windows 2000 sp4, Kerio 2.1.5 installed, Harden-It 1.2 installed with default settings, rebooted:

1. in Kerio tray icon, "Enable traffic"
2. in cmd, "ping -l 5000 www.freebsd.org"
let the command finish with 4 reponses & summary info
3. in Kerio tray icon, "Stop all traffic"
4. in cmd, repeat "ping -l 5000 www.freebsd.org" about 7 times
old (prior) ping response will initially be reported by these new pings
timeouts will begin after about 7 commands
5. take a coffee break (optional)
6. "ping -l 5000 www.freebsd.org" as many times as desired
always timeout now
the pings will never succeed again while Kerio's "Stop all traffic" is active
7. in Kerio tray icon, "Enable traffic"
8. in cmd, "ping -l 5000 www.freebsd.org"
ping response immediately received again

In a nutshell, I'm able to continue using Kerio 2.1.5 as my only firewall (on that pc) and have Harden-It tweak my registry as a workaround to deal with at least one scenario involving fragmented packets. I'd be curious to see new test results using other protocols that take all of this into consideration.

I believe this combination is superior to using Kerio 2.1.5 by itself because it fills at least one more hole. And it appears to avoid introducing new bugs which can result from using 2 firewalls on the same pc--I heard Kerio 2.1.5 + CHX introduces new bugs while Look-n-stop + CHX works fine (but costs $).

This is the exact output I get on Windows 2000 sp4 in step #6 (Kerio's "Stop all traffic" active):

C:\>ping -l 5000 www.freebsd.org

Pinging www.freebsd.org [216.136.204.117] with 5000 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 216.136.204.117:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

This is the exact output I get on Windows 2000 sp4 in step #8 (Kerio's "Enable traffic" reactivated):

C:\>ping -l 5000 www.freebsd.org

Pinging www.freebsd.org [216.136.204.117] with 5000 bytes of data:

Reply from 216.136.204.117: bytes=5000 time=224ms TTL=48
Reply from 216.136.204.117: bytes=5000 time=224ms TTL=48
Reply from 216.136.204.117: bytes=5000 time=221ms TTL=48
Reply from 216.136.204.117: bytes=5000 time=221ms TTL=48

Ping statistics for 216.136.204.117:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 221ms, Maximum = 224ms, Average = 222ms

 

What are the Registry tweaks?

-rich

 

Regmon.exe can show what registry values are modified by a specified program so finding out should be simple.

Bad news. While the outgoing pings behave as described in this thread, I've had inconsistent results with pings from an external machine targetting the protected pc.

 

So having Kerio 2.1.5 alone is useless?

Should I switch back to Windows Firewall SP2?

 

No, as the SP2 firewall only blocks incoming attempts. If you have a router tho, a sw firewall is optional imho.

 

If you are behind the protection of a router, then nothing can get you inbound, and Kerio 2.1.5 is great since it offers you a huge amount of control over apps and the ports they use and so on.

However, if you're on cable, no router, or even perhaps dial-up, you can still use Kerio, just be aware that fragmented packets can occasionally get thru inbound, and in an extreme case, it *may* be possible for someone to exploit this opening. Not likely in a typical home user situation though.

 

I know an earlier poster referred to buffer overrun, etc, but are you aware of known exploits and what has happened, and how whatever happened was cleaned up?

Awful lot of "what if's" and "possibilities" have been thrown around..

Why not likely in a home situation? I know kareldjag has touched on this, but what is your take on it?

thanks,

-rich
________________
~~Be ALERT!!! ~~

 

My take on the whole Kerio thing is that there is a problem, but I don't know how much I would worry about it. It is psychologically annoying that fragmented packets can get thru, or that anything can get thru for that matter. A firewall isn't supposed to allow that to happen, right?

My experience here running cable for years has been that I don't see much incoming nonsense except just the usual "noise". I have never had anyone specifically target me and I seriously doubt that most home users do either. In other words, I am not very paranoid about incoming threats, and just don't see any happening here. I have always studied my firewall logs and in several years of doing so, have never seen so much as one cause for concern.

If you were to run your machine without any protection and expose open ports to the internet, then you could worry, otherwise, I just don't see where the big threat is. This is just me though. Perhaps others have different situations and have a right to worry about things.

So, at least here, running Kerio with it's flaws is probably fine, and it's likely that nothing would ever come of it. I now have a router, so I don't need to worry about the issue at all, and I do sometimes use Kerio 2 just for outbound app control.

So, in my opinion, it's really up to the user. If it bothers you that Kerio allows fragmented packets in, then by all means, use something else. There is no shortage of firewalls, free and otherwise, right? But as far as it being a serious vulnerability that is likely to be exploited, well, I just have never seen any proof of this so happening so far, and I don't think we ever will.

 

Except for cable, I echo your experience.

thanks for your observation.

-rich
________________
~~Be ALERT!!! ~~

 

Sorry, Kerodo: Did you do any tests regarding TCP both inbound or outbound? Can you confirm that outbound fragmented UDP packets exhibit similar behaviour?

 

Nope, I have done no tests here, only the observations I have described above. This link, which I know you have seen, describes the only tests I know of on Kerio 2: http://www.broadbandreports.com/for...e=vulnerability

 

That may be an eventual flushing of the DNS cache. I was alerted to this in reading that the Ping command has a cache.

So, if you flush the cache after your first ping, then Stop All Traffic and run the second Ping, it will block. Maybe someone else can confirm this.

-rich

http://www.rsjones.net/img/kerio-ping.gif

 

So would disabling the DNS Client service essentially do the same thing?

 

if anyone is really that worried about fragmented packets wouldn't it be simpler to just upgrade to kerio 4.2.2 free? the free version doesn't have all the bloatware - it's turned off after 30 days.