CVE-2004-1907 in Personal Firewallinfo

Summary

by MITRE

The Web Filtering functionality in Kerio Personal Firewall (KPF) 4.0.13 allows remote attackers to cause a denial of service (crash) by sending hex-encoded URLs containing "%13%12%13".

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/17/2025

The vulnerability identified as CVE-2004-1907 affects Kerio Personal Firewall version 4.0.13 and specifically targets its web filtering component. This issue represents a classic buffer overflow condition that occurs when the firewall processes malformed URL sequences, creating a potential attack vector for remote adversaries seeking to disrupt network services. The vulnerability manifests through the improper handling of hex-encoded URLs that contain the specific sequence "%13%12%13" which causes the application to crash during processing. This type of flaw falls under the category of improper input validation and represents a fundamental security weakness in how the software handles user-supplied data.

The technical implementation of this vulnerability demonstrates a failure in the application's parsing logic for web content filtering. When the Kerio Personal Firewall encounters the malicious URL sequence, it attempts to process the hex-encoded characters without proper bounds checking or input sanitization, leading to memory corruption that ultimately results in application termination. This behavior aligns with CWE-121, which describes unsafe use of a stack-based buffer, and CWE-122, which addresses unsafe use of a heap-based buffer. The flaw operates at the protocol level where the firewall's web filtering engine receives and processes HTTP requests containing specially crafted URL parameters, making it particularly dangerous as it can be exploited through standard web browsing activities.

From an operational perspective, this vulnerability creates a significant risk for users running Kerio Personal Firewall 4.0.13 as it allows remote attackers to execute a denial of service attack without requiring any authentication or privileged access. The impact extends beyond simple service disruption since the firewall itself becomes unavailable, potentially leaving the network exposed to other threats during the downtime. Attackers can exploit this weakness by simply crafting a malicious web request containing the specific hex sequence and sending it to a target system, making the attack vector extremely accessible and difficult to prevent. This vulnerability directly maps to the ATT&CK technique T1498, which describes Denial of Service attacks, and represents a critical weakness in the firewall's resilience against malformed input.

The mitigation strategy for this vulnerability requires immediate patching of the Kerio Personal Firewall software to version 4.0.14 or later, which contains the necessary fixes for the URL parsing logic. Network administrators should also implement additional monitoring to detect unusual traffic patterns that might indicate exploitation attempts, particularly around web filtering components. The vulnerability highlights the importance of input validation and proper error handling in security applications, as the flaw exists in the core processing logic that should have been hardened against malformed data. Organizations using older versions of Kerio Personal Firewall should consider implementing network segmentation or alternative filtering solutions until the software can be properly updated, as the vulnerability represents a complete service disruption risk that cannot be effectively mitigated through configuration changes alone.

Reservation

05/04/2005

Disclosure

12/31/2004

Moderation

accepted

Entry

VDB-589

CPE

ready

Exploit

Download

EPSS

0.06673

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!