Kerio Software affected by ShellShock, if running on Linux please update your OS

Edit Text

The shellshock vulnerability (aka CVE-2014-6271 and CVE-2014-7169) is a security bug affecting Unix-like operating systems through the bash shell. Many Linux distributions, and Mac OS X include the affected GNU Bash version. An attacker can exploit the vulnerability via remote shell access, or through any application that may execute bash scripts. The vulnerability could allow a remote attacker to execute arbitrary code.

Impact on Kerio Products
Edit Text

Kerio Control does not include the Bourne-Again shell (Bash) and is not affected by this vulnerability. All Linux systems in the Samepage infrastructure are up to date and are not vulnerable. Kerio Operator (all editions) and Kerio Connect Virtual Appliance include the affected Bash version within the underlying operating system. However, they do not pass user-supplied data into the Bash environment and therefore cannot be misused by an attacker.

Next Steps
Edit Text


No action necessary. All Linux systems in the Samepage infrastructure are up to date.

Kerio Control (All Editions / Versions)

No action necessary. The affected Bourne-Again shell (Bash) is not implemented in Kerio Control.

Kerio Operator (Virtual Appliance, Software Appliance, and Box Editions)

Operator (up to version 2.3.2) has the affected Bash shell and the vulnerability is exploitable via DHCP if the attacker has access to the local network. We will release a patch version early next week (ie. week starting 2014-09-29).

Kerio Connect (Virtual Appliance, Linux, and Mac OS X)

We recommend installing the appropriate operating system updates to fix this vulnerability on the operating system level. This is highly encouraged if there are other services on the same server (beside Kerio Connect). This is valid for all Linux and Mac OS X distributions. Use the default updating mechanism in your operating system to get the latest updates. Make sure you are running the latest distribution version, which receives a security update for this vulnerability. For Debian (read more) and Ubuntu  (read more) use “sudo apt-get update” and “sudo apt-get upgrade” commands, for CentOS  use “sudo yum update” (read more). Users with Kerio Connect Virtual Appliance may need to modify server configuration to get latest updates (see below). On OS X use default “Software Update” application.

Sign up for Kerio Webinar for 8.2

Kerio Control 8.2 introduces Content Filter a feature which will save Administrators time blocking multiple ports instead they can block Kerio Web Filter categories and different types of application protocols regardless of the port they are using.

With increasing adoption of IPV6 Kerio Control 8.2 version brings increased security and user management by introducing HTTP protocol inspection support, providing antivirus, Kerio Web Filter and enabling content filtering on the IPv6 protocol.

Join us for this webinar and learn more about all the great new features, which include:

  • Content Filter
  • L2TP interface support
  • HTTP protocol inspection on IPv6
  • PAE enabled in Linux kernel
  • And more…

Dshield Identified Top Attackers blocks access from LAN – if your network has no internet access


The IDS/IPS security update (version 2.413) released on the 1st of October 2013 can cause the ‘Dshield Identified Top Attackers’ to block LAN traffic from / 24. As we have identified the problem, we have now released an update of the IDS/IPS rules immediately (version 2.414). The IDS/IPS rules will then be updated automatically within the default update interval. You may need to reboot your Kerio control system to solve this problem.


  1. All Kerio Control versions
    • If it is possible to access the administration interface from a different source IP address (eg. via VPN client, remotely from the internet, from a another network IP address range) – Press Update Now button to update rules manually.
    • If it is not possible to access the Kerio Control Administration – restart the server and the Kerio Control should invoke the update automatically within 10 minutes after the restart.

How to Migrate from Kerio Control (Windows Edition) to the Appliance Editions

From the Kerio  blog…

As of version 8 (announced earlier this month), Kerio Control is available only as as a software, virtual, or hardware appliance. This means customers who currently run the Windows version should strongly consider migrating to one of the appliance editions. There is no cost to transfer your license to the Software or Virtual Appliance, and in most cases, you can continue using the same hardware.

The actual migration process is not complicated, but there are several “best practices” to make the process a smooth one. I’ve listed the key steps below, and also some special considerations to be aware of:


  1. Export the current Kerio Control configuration, including DHCP leases and SSL certificates. This backup will include the Kerio Control configuration and product license.
  2. Install the new Kerio Control software appliance/box with the same version of Control and same number of network interfaces as you have on Windows. We do recommend installing a new virtual appliance from OVF, or in case of a physical PC, use an ISO image.
  3. Setup your new Kerio Control appliance with different temporary IPs. The appliance needs a working Internet connection in order to finish setup.
  4. If you use Active Directory, connect the appliance to the AD. Do not use the same hostname as you have for Windows. You can change that later.
  5. Import your configuration to the appliance, and be sure to match network interfaces (LAN/WAN).
  6. Check if you have any additional IPs on Windows network interfaces or Windows custom static routes. If so, be sure to save them.
  7. Shutdown the Windows Kerio Control application.
  8. Use the appliance console to change the IPs to the same ones you that you had on Windows. If you had some additional IPs on the interfaces, use product web administration and add them as well.
  9. Log into the admin interface and make sure everything works as intended.

Special considerations:

  • When exporting the configuration, don’t forget to select also SSL certificates and DHCP leases.
  • Custom Windows settings (like custom routes, Dial-in interfaces etc.) won’t be transferred – you must configure those again on software appliance.
  • Note that export and import does not transfer IP addresses of the interfaces.
  • Due to the differences between Linux and Windows, any additional IPs on Windows interface won’t be transferred and must be configured manually on the appliance.
  • User statistics cannot be transferred to the new appliance.
  • If you use AD/OD for user authentication, we recommend creating a temporary Kerio Control local admin account in case of issues with AD/OD.

I hope this helps. Quite a few common questions that may come to mind are addressed in KB article titled: “Kerio Control (Windows Edition) to the Appliance Editions (Software/Virtual/Hardware)” More details about license and configuration transfer between the various editions of Kerio Control can be found in an article titled: ”Can I transfer my configuration and license from the Windows version of Kerio Control to the Software Appliance Edition?”

If you have any questions, please use the comments below and I will be sure to respond.

-Petr Dobry

Sohpos AV Update

Sophos AV Engine Update Required
The Sophos Anti-Virus scanning engine included in Kerio Connect (7.1.X) and Kerio Control (7.0.X and 7.1.X) has been replaced with a newer version and Sophos has ceased delivering virus definition updates to those versions. The engine will continue to run, but virus definitions will no longer be updated. To ensure your customers continue to receive the latest security updates they must download and install the latest version of Kerio Connect (7.4) or Kerio Control (7.3) to avoid any disruption of the Sophos security service.

Has your self-signed certificate ever expired?

If you’ve ever run into this situation, it probably happened just one year after installing Kerio Connect. At the same time your users probably complained about SSL certificate warnings in their mail programs. This is because the default setting for new, self-signed certificates is set to expire after one year. To avoid this situation, consider creating a new certificate using the option of a 10-year expiration. After everyone has connected over SSL and has installed the certificate, you’ll have a full decade to worry about more important issues.