SFTPPlus not vulnerable to Terrapin

SFTPPlus is not vulnerable to the recent SSH / SFTP Terrapin attack.

We are aware of the recent Terrapin SSH protocol security concern and upon reviewing the report we have identified that SFTPPlus is not vulnerable to the effective attack against SSH's use of ChaCha20-Poly1305 and CBC with Encrypt-then-MAC.

The ChaCha20-Poly1305 and CBC with Encrypt-then-MAC are not supported by SFTPPlus.

The Terrapin attack is a security vulnerability in the SSH protocol. Terrapin allows a man in the middle attacker to manipulate the initial messages exchange during the protocol handshake phase. The attacker needs to be able to drop and generate new messages. This manipulation can lead to the client and server negotiating a lower level of security during the handshake phase.

Unauthenticated user access, private keys, or the content of the communication can not be obtained through a Terrapin-related attack. An attacker also needs to breach the protocol with lower level of security (negotiated through the Terrapin attack) to succeed.

As long as client and server are configured to only accept the higher level of security, this type of attack does not affect the SSH communication.

Fully closing the attack vector requires an update of both client and server software to versions implementing OpenSSH strict key exchange extensions. This is a new change to the the SSH protocol.

SFTPPlus and other SSH software vendors are now working on releasing new software versions.

Security advisories newsletter

The security advisories newsletter is available to our customers as a convenient method for receiving information about security updates and best practices.

You can view the security advisories archive here (articles are made public 3 months after their initial internal release).