GFI Kerio Connect – sensitive information disclosure in every sent email
Comments : Off
Kerio Connect 9.2.7 and older adds the following sensitive informations to every email header:
Since {full version number} is a problematic thing because attackers know exactly which version they have to deal with, authenticated user {full user} is more problematic.
Many use cases use Kerio Connect as a replacement for Microsoft Exchange Server and the ActiveSync functionality.
This means, remote access to this machines is enabled.
Also there is the webinterface/webmailer, typically running on port 443. Access to this part can’t be prevented.
Unfortunately, GFI is not interested to remove this sensitive information nor do they offer an option in the administrative part of the server to remove/modify these informations.
Vendor is already notified, instead of thinking about their users security/privacy, they are referencing Gmail, stating even Google is not caring about version number and authenticated users.
Received: from [{mailserver}] ([{mailserver}])
(authenticated user {full user})
by mailserver ({full version number}) with ESMTPSA Since {full version number} is a problematic thing because attackers know exactly which version they have to deal with, authenticated user {full user} is more problematic.
Many use cases use Kerio Connect as a replacement for Microsoft Exchange Server and the ActiveSync functionality.
This means, remote access to this machines is enabled.
Also there is the webinterface/webmailer, typically running on port 443. Access to this part can’t be prevented.
Unfortunately, GFI is not interested to remove this sensitive information nor do they offer an option in the administrative part of the server to remove/modify these informations.
Vendor is already notified, instead of thinking about their users security/privacy, they are referencing Gmail, stating even Google is not caring about version number and authenticated users.
