The DROWN Attack and SFTPPlus

Thu 03 March 2016 | security Written by Adi Roiban

SFTPPlus Server versions 1.6 and newer are not vulnerable to the DROWN attack.

SFTPPlus versions 3 and newer are also not vulnerable to it.

The DROWN attack targets server-side products, thus SFTPPlus client is not vulnerable to it.

SFTPPlus relies on OpenSSL for the SSL and TLS protocols used in implementing the FTPS and HTTPS protocols. The Unix and Linux versions of SFTPPlus use the OpenSSL libraries provided by the operating system. The Windows versions of SFTPPlus use the included OpenSSL libraries.

However, support for SSL version 2 was never available in SFTPPlus, thus SFTPPlus users are not exposed to any vulnerability related to the use of SSL v2. More so, SSL and TLS security contexts are always configured with NO_SSLv2. So, even if you are using an OpenSSL version with support for SSL v2, version 2 is explicitly denied in SFTPPlus.

The SFTP protocol is based on the SSH protocol and is not affected by SSL or TLS bugs.