Sign-up

ID

VAR-200712-0222


CVE

CVE-2007-6385


TITLE

Kerio WinRoute Firewall Proxy server vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2007-004722

DESCRIPTION

The proxy server in Kerio WinRoute Firewall before 6.4.1 does not properly enforce authentication for HTTPS pages, which has unknown impact and attack vectors. NOTE: it is not clear whether this issue crosses privilege boundaries. Kerio WinRoute Firewall is prone to an unspecified weakness that allows local users to bypass proxy authentication. Exploiting this issue may permit a local attacker to obtain web pages that are supposed to be administratively prohibited with proxy controls. Versions prior to Kerio WinRoute Firewall 6.4.1 contain this weakness. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. SOLUTION: Update to version 6.4.1. http://www.kerio.com/kwf_download.html PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.kerio.com/kwf_history.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2007-6385 // JVNDB: JVNDB-2007-004722 // BID: 26851 // VULHUB: VHN-29747 // PACKETSTORM: 61822

AFFECTED PRODUCTS

vendor:keriomodel:winroute firewallscope:eqversion:6.0.3

Trust: 1.9

vendor:keriomodel:winroute firewallscope:eqversion:5.1.10

Trust: 1.9

vendor:keriomodel:winroute firewallscope:eqversion:5.1.9

Trust: 1.9

vendor:keriomodel:winroute firewallscope:eqversion:5.1.8

Trust: 1.9

vendor:keriomodel:winroute firewallscope:eqversion:5.1.7

Trust: 1.9

vendor:keriomodel:winroute firewallscope:eqversion:5.1.6

Trust: 1.9

vendor:keriomodel:winroute firewallscope:eqversion:5.1.5

Trust: 1.9

vendor:keriomodel:winroute firewallscope:eqversion:5.1.4

Trust: 1.9

vendor:keriomodel:winroute firewallscope:eqversion:5.1.2

Trust: 1.9

vendor:keriomodel:winroute firewallscope:eqversion:5.1.1

Trust: 1.9

vendor:keriomodel:winroute firewallscope:eqversion:6.2.3

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:6.2.2

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:6.2.1

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:6.2

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:6.1.4

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:6.1.3

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:6.1.2

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:6.1.1

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:6.1

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:6.0.11

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:6.0.9

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:6.0.8

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:6.0.7

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:6.0.6

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:6.0.5

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:6.0.4

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:6.0.2

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:6.0.1

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:6.0

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:5.10

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:5.1.3

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:5.1

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:5.0.9

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:5.0.8

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:5.0.7

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:5.0.6

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:5.0.5

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:5.0.4

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:5.0.3

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:5.0.2

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:5.0.1

Trust: 1.3

vendor:keriomodel:winroute firewallscope:eqversion:6.1.4_patch_2

Trust: 1.0

vendor:keriomodel:winroute firewallscope:lteversion:6.4.0

Trust: 1.0

vendor:keriomodel:winroute firewallscope:eqversion:6.1.4_patch_1

Trust: 1.0

vendor:keriomodel:winroute firewallscope:eqversion:6.3.0

Trust: 1.0

vendor:keriomodel:winroute firewallscope:eqversion:6.3.1

Trust: 1.0

vendor:keriomodel:winroute firewallscope:ltversion:6.4.1

Trust: 0.8

vendor:keriomodel:winroute firewall patchscope:eqversion:6.1.42

Trust: 0.3

vendor:keriomodel:winroute firewall patchscope:eqversion:6.1.41

Trust: 0.3

vendor:keriomodel:winroute firewallscope:neversion:6.4.1

Trust: 0.3

sources: BID: 26851 // JVNDB: JVNDB-2007-004722 // CNNVD: CNNVD-200712-163 // NVD: CVE-2007-6385

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2007-6385
value: LOW

Trust: 1.0

NVD: CVE-2007-6385
value: LOW

Trust: 0.8

CNNVD: CNNVD-200712-163
value: LOW

Trust: 0.6

VULHUB: VHN-29747
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2007-6385
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-29747
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-29747 // JVNDB: JVNDB-2007-004722 // CNNVD: CNNVD-200712-163 // NVD: CVE-2007-6385

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.9

sources: VULHUB: VHN-29747 // JVNDB: JVNDB-2007-004722 // NVD: CVE-2007-6385

THREAT TYPE

local

Trust: 1.0

sources: BID: 26851 // PACKETSTORM: 61822 // CNNVD: CNNVD-200712-163

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-200712-163

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2007-004722

PATCH
title:Kerio Control ? Release Historyurl:http://www.kerio.com/control/history
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2007-004722

EXTERNAL IDS
db:NVDid:CVE-2007-6385
Trust: 2.8
db:BIDid:26851
Trust: 2.0
db:SECUNIAid:28072
Trust: 1.8
db:SECTRACKid:1019095
Trust: 1.7
db:OSVDBid:42122
Trust: 1.7
db:VUPENid:ADV-2007-4212
Trust: 1.7
db:JVNDBid:JVNDB-2007-004722
Trust: 0.8
db:XFid:39020
Trust: 0.6
db:CNNVDid:CNNVD-200712-163
Trust: 0.6
db:VULHUBid:VHN-29747
Trust: 0.1
db:PACKETSTORMid:61822
Trust: 0.1
sources:
            
            
            VULHUB: VHN-29747 // 
            
            
            
            BID: 26851 // 
            
            
            
            JVNDB: JVNDB-2007-004722 // 
            
            
            
            PACKETSTORM: 61822 // 
            
            
            
            CNNVD: CNNVD-200712-163 // 
            
            
            
            NVD: CVE-2007-6385

REFERENCES
url:http://www.kerio.com/kwf_history.html
Trust: 2.1
url:http://www.securityfocus.com/bid/26851
Trust: 1.7
url:http://osvdb.org/42122
Trust: 1.7
url:http://www.securitytracker.com/id?1019095
Trust: 1.7
url:http://secunia.com/advisories/28072
Trust: 1.7
url:http://www.vupen.com/english/advisories/2007/4212
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/39020
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-6385
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-6385
Trust: 0.8
url:http://www.frsirt.com/english/advisories/2007/4212
Trust: 0.6
url:http://xforce.iss.net/xforce/xfdb/39020
Trust: 0.6
url:http://www.kerio.com
Trust: 0.3
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/product/3613/
Trust: 0.1
url:http://www.kerio.com/kwf_download.html
Trust: 0.1
url:http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/advisories/28072/
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-29747 // 
            
            
            
            BID: 26851 // 
            
            
            
            JVNDB: JVNDB-2007-004722 // 
            
            
            
            PACKETSTORM: 61822 // 
            
            
            
            CNNVD: CNNVD-200712-163 // 
            
            
            
            NVD: CVE-2007-6385

CREDITS
The vendor disclosed this issue.
Trust: 0.9
sources:
            
            
            BID: 26851 // 
            
            
            
            CNNVD: CNNVD-200712-163

SOURCES
db:VULHUBid:VHN-29747
db:BIDid:26851
db:JVNDBid:JVNDB-2007-004722
db:PACKETSTORMid:61822
db:CNNVDid:CNNVD-200712-163
db:NVDid:CVE-2007-6385

LAST UPDATE DATE
2025-04-10T23:22:25.637000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-29747date:2017-08-08T00:00:00
db:BIDid:26851date:2015-05-07T17:34:00
db:JVNDBid:JVNDB-2007-004722date:2012-09-25T00:00:00
db:CNNVDid:CNNVD-200712-163date:2007-12-14T00:00:00
db:NVDid:CVE-2007-6385date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:VULHUBid:VHN-29747date:2007-12-15T00:00:00
db:BIDid:26851date:2007-12-13T00:00:00
db:JVNDBid:JVNDB-2007-004722date:2012-09-25T00:00:00
db:PACKETSTORMid:61822date:2007-12-14T00:12:58
db:CNNVDid:CNNVD-200712-163date:2007-12-14T00:00:00
db:NVDid:CVE-2007-6385date:2007-12-15T02:46:00