Answer

Overview

October 6, 2014

The reported vulnerability is a local file inclusion vulnerability affecting the webmail feature of the Kerio Connect product. Exploitation of this vulnerability can lead to arbitrary code execution with SYSTEM privileges on the Windows hosting server. The vulnerability can be triggered through the legacy user interface which cannot be disabled. Access to this interface requires a valid standard e-mail account.

Reported by Géraud De Drouas from French Network and Information Security Agency (ANSSI).

Impact

Arbitrary code execution with SYSTEM privileges.

CVSS Base Score: 9

Impact Subscore: 10

Exploitability Subscore :8

Overall CVSS Score: 7

CVSS v2 Vector (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)

Vulnerable versions

Kerio MailServer 6.3.0 - 6.7.3

Kerio Connect 7.0.0 - 8.3.2

Technical details

Improper control of filename for include/require statement (CWE-98).