The host is running Kerio Mail Server/Connect and is prone to plaintext command injection vulnerability.

Successful exploitation will allow attacker to execute arbitrary commands in the context of the user running the application. Impact Level: Application

No solution or patch was made available for at least one year since disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.

This flaw is caused by an error within the 'STARTTLS' implementation where the switch from plaintext to TLS is implemented below the application's I/O buffering layer, which could allow attackers to inject commands during the plaintext phase of the protocol via man-in-the-middle attacks.

Kerio MailServer versions 6.x Kerio Connect version 7.1.4 build 2985

• http://secunia.com/advisories/43678
• http://www.vupen.com/english/advisories/2011/0610

---

Updated on 2015-03-25