Answer
Overview
The reported vulnerability is a "Clickjacking" vulnerability and is present in the email preview feature of Kerio Connect version 8 and version 9.
The vulnerability is a risk to users that have their mailbox on Kerio Connect, are logged into Kerio Connect and are using email preview functionality. The risk is that an attacker could insert a malicious link into an email which could trick the user into clicking a button, or a link to a web page, that takes them out of the Kerio Connect User Interface.
Reported by Remco Verhoef @remco_verhoef (remco@dutchsec.com).
Impact
An attacker could send a specially crafted HTML email to a victim using Kerio Connect. When displayed in Kerio Connect client web application or desktop application the attacker can trick a user into clicking a button or link on a page other than the one they believe they are clicking.
- Severity: Medium
- Overall CVSS v3 Score: 6.1
- CVSS v3 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:U/RC:C
- Overall CVSS v2 Score: 4.1
- CVSS v2 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:ND/RC:C)
Resolution
A fix for this vulnerability is available for Kerio Connect as of version 9.2.3. You can download the latest release of Kerio Connect from here.
Vulnerable versions
- Kerio Connect 8.0.0
- Kerio Connect 8.0.1
- Kerio Connect 8.0.2
- Kerio Connect 8.1.0
- Kerio Connect 8.1.1
- Kerio Connect 8.1.2
- Kerio Connect 8.1.3
- Kerio Connect 8.2.0
- Kerio Connect 8.2.1
- Kerio Connect 8.2.2
- Kerio Connect 8.2.3
- Kerio Connect 8.2.4
- Kerio Connect 8.3.0
- Kerio Connect 8.3.1
- Kerio Connect 8.3.2
- Kerio Connect 8.3.3
- Kerio Connect 8.3.4
- Kerio Connect 8.4.0
- Kerio Connect 8.4.1
- Kerio Connect 8.4.2
- Kerio Connect 8.4.3
- Kerio Connect 8.5.0
- Kerio Connect 8.5.1
- Kerio Connect 8.5.2
- Kerio Connect 8.5.3
- Kerio Connect 9.0.0
- Kerio Connect 9.0.1
- Kerio Connect 9.0.2
- Kerio Connect 9.0.3
- Kerio Connect 9.0.4
- Kerio Connect 9.1.0
- Kerio Connect 9.1.1
- Kerio Connect 9.2.0
- Kerio Connect 9.2.1
- Kerio Connect 9.2.2
- Kerio Connect Client desktop application for Windows and Mac 9.2.0
- Kerio Connect Client desktop application for Windows and Mac 9.2.1
- Kerio Connect Client desktop application for Windows and Mac 9.2.2
Technical details
Protection Mechanism Failure (CWE-693)