Clickjacking vulnerability in Kerio Connect 8 and 9 (CVE-2017-7440)


Overview

The reported vulnerability is a "Clickjacking" vulnerability and is present in the email preview feature of Kerio Connect version 8 and version 9.

The vulnerability is a risk to users that have their mailbox on Kerio Connect, are logged into Kerio Connect and are using email preview functionality. The risk is that an attacker could insert a malicious link into an email which could trick the user into clicking a button, or a link to a web page, that takes them out of the Kerio Connect User Interface.

Reported by Remco Verhoef @remco_verhoef (remco@dutchsec.com).

Impact

An attacker could send a specially crafted HTML email to a victim using Kerio Connect. When displayed in Kerio Connect client web application or desktop application the attacker can trick a user into clicking a button or link on a page other than the one they believe they are clicking.

Resolution

A fix for this vulnerability is available for Kerio Connect as of version 9.2.3. You can download the latest release of Kerio Connect from here.

Vulnerable versions

  • Kerio Connect 8.0.0
  • Kerio Connect 8.0.1
  • Kerio Connect 8.0.2
  • Kerio Connect 8.1.0
  • Kerio Connect 8.1.1
  • Kerio Connect 8.1.2
  • Kerio Connect 8.1.3
  • Kerio Connect 8.2.0
  • Kerio Connect 8.2.1
  • Kerio Connect 8.2.2
  • Kerio Connect 8.2.3
  • Kerio Connect 8.2.4
  • Kerio Connect 8.3.0
  • Kerio Connect 8.3.1
  • Kerio Connect 8.3.2
  • Kerio Connect 8.3.3
  • Kerio Connect 8.3.4
  • Kerio Connect 8.4.0
  • Kerio Connect 8.4.1
  • Kerio Connect 8.4.2
  • Kerio Connect 8.4.3
  • Kerio Connect 8.5.0
  • Kerio Connect 8.5.1
  • Kerio Connect 8.5.2
  • Kerio Connect 8.5.3
  • Kerio Connect 9.0.0
  • Kerio Connect 9.0.1
  • Kerio Connect 9.0.2
  • Kerio Connect 9.0.3
  • Kerio Connect 9.0.4
  • Kerio Connect 9.1.0
  • Kerio Connect 9.1.1
  • Kerio Connect 9.2.0
  • Kerio Connect 9.2.1
  • Kerio Connect 9.2.2
  • Kerio Connect Client desktop application for Windows and Mac 9.2.0
  • Kerio Connect Client desktop application for Windows and Mac 9.2.1
  • Kerio Connect Client desktop application for Windows and Mac 9.2.2

Technical details

Protection Mechanism Failure (CWE-693