OpenSSL DER certificate vulnerability and SFTPPlus

Thu 26 April 2012 | security Written by Adi Roiban

Last week a bug was discovered in all OpenSSL version. This bug can cause various security issues.

More information about the original vulnerability report for OpenSSL can be found from National Cyber Awareness System

A fix was already provided by the OpenSSL team as of 24 of April 2012.

Please note that the bug only affects products using OpenSSL for reading client or server certificates stored in DER format and which were generated by an untrusted Certificate Authority.

The vulnerability does not apply in the case of using certificates stored in PEM format.

The vulnerability only affects the FTPS and HTTPS transfers from SFTPPlus products, since SFTPPlus Client and SFTPPLus Server reads client and server certificates from various formats, including DER format. If the DER certificates was generated by a trustworthy Certificate Authority, there are no security vulnerabilities caused by this bug.

The vulnerability can be more easy exploited on Intel X86 and X86_64 CPU architectures, as the other CPU architectures have various security mechanism to prevent this type of security vulnerabilities.

We found it appropriate to let you know about this security issue, while we are working at including the fix into latest SFTPPlus products.

New releases for latest versions of SFTPPlus products will be available in the near future and will include a fix for the security issue described above.

In case you are handling untrusted .DER certificates together with an older version of SFTPPlus products and cannot upgrade to latest version, please let us know and we will provide a security update for the version used in your deployment.