In today’s world of constant threats, data at rest isn’t the only data that needs to be protected with encryption. With the amount of data traversing the internet, the encryption of data in transit is just as important. Whether internet traffic or VPN traffic, data protection is crucial.
Kerio Control VPN has always done a great job of encrypting traffic and blocking threats to the organization. Because vulnerabilities may be discovered outside the normal release cycle, GFI takes steps to mitigate such threats in a timely manner, without waiting for customers to report issues – and without waiting for the next release.
During a recent penetration test of the Kerio Control VPN, developers discovered that the Blowfish encryption used by Kerio had become obsolete. Testing revealed that an attacker could possibly crack the encryption provided by Blowfish and replace the content of the VPN traffic with something else potentially malicious.
The vulnerabilities identified were a result of weaker cryptography provided by the Blowfish encryption, which has been in use since the initial release of Kerio Control VPN. These vulnerabilities were confirmed to affect versions of Kerio Control below version 9.2.8 (current version at the time of this article is 9.3.2).
As a result of GFI testing, the Kerio Control VPN software was changed to use AES 128, instead of Blowfish. Customers running Kerio Control 9.2.7 or lower are urged to upgrade to at least version 9.2.8. The more robust encryption that is offered via the newer AES-128 cipher provides a far-more secure tunnel.
AES is a symmetric key encryption cipher. It’s often viewed as the gold standard when discussing data encryption. AES is NIST-certified, and it’s used by the US government to protect secure data. This has, as a result, led to a more general adoption of AES as the accepted symmetric key cipher of choice by most organizations. Although other key ciphers, like Blowfish, are considered secure, AES is widely regarded as the most secure symmetric key encryption cipher invented to date.
To illustrate how secure your data is when using Kerio Control VPN, consider this:
In 2017, the Sunway TaihuLight supercomputer in China (considered the most powerful computer in the world) was clocked at a peak speed of 93.02 petaflops. Even at this unheard-of speed, it would take this computer almost 900 quadrillion years to brute force a 128-bit AES key. Suffice it to say, nobody is cracking AES-128 to get to your VPN data when you use Kerio Control VPN.
To determine if vulnerable VPN Clients are connecting to Kerio Control, open the Kerio Control administrative console and click “Status” from the left sidebar. Click “VPN Clients” to display the list of VPN Clients. Ensure the “Version” column is selected and check to see if any clients are running version 9.2.7 or earlier.
Follow the URL below for instructions on how to upgrade Kerio Control and Kerio Control VPN software to version 9.2.8: