Articles from security category

Setting up security scanners for your SFTPPlus MFT Server

Wed 20 June 2018 | article security

Introduction

OWASP Logo

The following is a short guide on how you can set up a security scanner for your SFTPPlus MFT Server installation. For this guide, we have chosen a free and open source scanner, OWASP Zed Attack Proxy or zaproxy, as an example.

Of course, there are a number of other software and tools that you can use and all with varying mileage.

We can also cover these other tools, depending on interest. Therefore, if you would like to see more of these types of posts from SFTPPlus, please make sure to contact us. If you are not familiar with the terms, or need to do some background reading, you can scroll down to the Other resources section first.

To be kept up to date with the latest developments, please sign up to our security advisories.

About OWASP Zed Attack Proxy or zaproxy

For our server-side scan of the SFTPPlus MFT service (HTTPS and HTTP) and Local Manager, we used the OWASP Zed Attack Proxy or zaproxy which is a free and open source penetration testing tool released by OWASP and developed for website application security testing.

After running the application, you can generate a report for further consumption. The report contains OWASP ZAP specific terminology. These are listed below for your reference.

WASC ID This is the ID provisioned by the Web Application Security Consortium (WASC) Threat Classification project. Read more about WASC here.

CWE ID This is the ID provisioned by the Common Weakness Enumeration (CWE) project. Read more about CWE here.

Confidence This is the description of how confident the result is in the validity of the finding.

  • False Positive - for potential issues that one will later find is actually not exploitable.
  • Low - for unconfirmed issues.
  • Medium - for issues that zaproxy is somewhat confident in.
  • High - for findings that zaproxy is highly confident in.
  • Confirmed - for confirmed issues.

Risk Description of how serious the risk is. The risk shown is from the report generated by zaproxy.

Source This is the ZAP policies code. Read more here.

Using zaproxy to conduct an active scan on SFTPPlus services

Prerequisite

As a standard prerequisite, you will need the zaproxy application, a version of SFTPPlus Server software and consent to conduct these types of scanning activities if you are doing so on behalf of a group or organization.

For this example, we will be conducting an active scan of the SFTPPlus HTTP service available on the default port 10080. There are also other web-browser based services that you can scan such as the SFTPPlus Local Manager on port 10020 and the HTTPS service available on the default port 10443.

In addition, scanning can affect availability. We recommend a backup of your database.

What is an active scan?

Active scanning will attempt to find potential vulnerabilities by using known attacks against the selected target, in this case the SFTPPlus HTTP service. It should be noted that active scanning can only find certain types of vulnerabilities. Logical vulnerabilities, such as broken access control, will not be found by any active or automated vulnerability scanning. Manual penetration testing should always be performed in addition to active scanning to find all types of vulnerabilities.

Also, scanning will unearth results that also need to be consumed and understood by the relevant parties.

Setting up an active scan

In order to attack the authenticated part of the HTTP service, we will need to add the HTTP session token in the zaproxy application.

Go to 'Tools' -> 'Options' -> 'HTTP Sessions' -> add chevah_http_session in the Token Name. Make sure that this token is enabled then select 'OK'.

See screenshot below:

OWASP zaproxy adding custom HTTP sessions pane

Make sure that the 'HTTP Sessions' tab is open. To view the 'HTTP Sessions' tab, go to 'View' -> select 'Show Tab' -> then 'HTTP Sessions'. At this stage, the pane is empty but it will soon be populated with the correct values in the later steps.


In the 'Quick Start' pane, add http://localhost:10080 in the 'URL to attack' field. This is the URL for the SFTPPlus HTTP web-browser based file manager service. Do not press 'Attack', instead scroll down and select 'Launch Browser' for Chrome.

See screenshot below:

OWASP zaproxy Welcome pane

The reason why you cannot go straight to attacking/scanning the resource is because it still requires authentication. If not authenticated with zaproxy, you will see an error Failed to attack the URL: received a 401 response code.


After selecting 'Launch Browser', a new Chrome browser will launch and you will start seeing activity in the 'Sites' pane. The browser should have 'Explore your application with ZAP' as the landing page.

Open the URL http://localhost:10080 in the Chrome browser and login to the test file transfer account.

Once logged in, you should now see http://localhost:10080 in the 'Sites' pane.

OWASP zaproxy Sites pane

In the 'Sites' pane, right-click over the http://localhost:10080 URL and select 'Include in Context' then 'Default Context'.

OWASP zaproxy Sites pane

In the 'HTTP Sessions' pane, you should now see that there is a new session added for the site localhost:10080 with values populated in the 'Session Tokens' Values' field.

If you do not see any values, launch the SFTPPlus HTTP service again and log in.

OWASP HTTP Sessions pane with populated Session Tokens' Values

Back in the 'Sites' pane, right click over the localhost URL, select 'Attack' -> 'Active Scan'.

For one of our tests, we only wanted to scan the HTTP headers to see if the version of SFTPPlus would be able to escape possible CSRF attacks. In this case, for the 'Input Vectors' tab, only the 'HTTP Headers, All Requests' vector was selected. You can choose other vectors according to your own requirements or you can opt to choose all vectors.


Allow the scan to work. The times can vary.

OWASP HTTP Sessions pane with populated Session Tokens' Values

Alerts are located in the 'Alerts' tab. You can read what the Alert is about from this pane. Please note that alerts may include alerts from associated third party services.


You can generate the report after the scan has completed.

Select 'Report' on the top menu > 'Generate HTML Report' and save the file.

Other reporting file formats can be used such as JSON, XML, Markdown.

OWASP HTTP Sessions pane with populated Session Tokens' Values

Example scan result

Below is an example scan of what you may find. Please note that results will differ depending on factors such as your installation, configuration and SFTPPlus version:

Low Risk: Web Browser XSS Protection Not Enabled
Details:
URL:
Risk: Low
Confidence: Medium
CWE ID: 933 - Security Misconfiguration -
https://cwe.mitre.org/data/definitions/933.html
WASC ID: 14 - Server Misconfiguration
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration
Source: Passive (10016 - Web Browser XSS Protection Not Enabled)

Description:
Web Browser XSS Protection is not enabled, or is disabled by the
configuration of the 'X-XSS-Protection' HTTP response header on
the web server

Other info:
The X-XSS-Protection HTTP response header allows the web server
to enable or disable the web browser's XSS protection mechanism.
The following values would attempt to enable it:
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=http://www.example.com/xss
The following values would disable it:
X-XSS-Protection: 0
The X-XSS-Protection HTTP response header is currently supported
on Internet Explorer, Chrome and Safari (WebKit).
Note that this alert is only raised if the response body could
potentially contain an XSS payload (with a text-based content type,
with a non-zero length).

Solution:
Ensure that the web browser's XSS filter is enabled, by setting
the X-XSS-Protection HTTP response header to '1'.

Reference:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

Upon seeing reports in regards to XSS vulnerabilities, we have fixed user input escaping where error messages where done without the user input and also added validation of the user input.

Therefore, the HTML rendering code for the HTTP service has been added to ensure that this is not the case to secure user input.

As part of this change, we have also added new automated tests for the HTTP service as part of our quality assurance reviews.

Example SFTPPlus audit log during a scan

As you can see, the scan generated some potential CSRF attacks which SFTPPlus version 3.34.1 detected and therefore disconnected against:

| 40018 2018-06-07 11:05:43 Process Unknown 127.0.0.1:58871
  Forcing client disconnection at "/unwanted.js" after
  receiving 0 bytes in body. Response: 400 Possible CSRF

The above is just an example of what you may see in the audit log and is not related to the scan result in the previous section.

The reason why you are seeing this in the audit trail is that we now enforce requests from the same origin including basic requests such as GET and even older HTTP requests such as POST.

This is to ensure that requests from the outside boundary (the Internet) are not interacting with the safe confines of the HTTP file service or the Local Manager.

We have ensured that the browser is forced to download data, rather than execute data, after checking the Origin and Referrer headers are of the same source.

What to do if you find an issue

The first step is to check if you have the latest version of SFTPPlus. New versions will contain not only new features, but also defect fixes including security bug fixes.

The second step is to look at the type of alert and to do a manual confirmation of the feasibility of the alert (for example, if it's a false positive) and to confirm the results from zaproxy. The alerts are meant to be guidance for further investigations.

If there is a bug found, please do not hesitate to contact SFTPPlus Support with your defect report.

Keep up to date by signing up to our security advisories

SFTPPlus continues to be focused on automated, non-interactive file transfers in a secure fashion. Our security practices have been designed to make this a reality for our clients.

To be kept up to date with the latest security advisory and news, please subscribe to out newsletter here.

Evaluating SFTPPlus MFT

SFTPPlus MFT Server supports FTP, Explicit FTPS, Implicit FTPS, SFTP, SCP, HTTP and HTTPS.

Install SFTPPlus MFT today either as an on-premise solution supported on Windows, Linux, Solaris, AIX, HP-UX, MacOS and FreeBSD or on the cloud as Docker containers, AWS instances etc.

Email us at sales@proatria.com to start your evaluation version today.

For licensing queries please contact sales@proatria.com.

Addendum

This resource is written as of SFTPPlus version 3.34.1.

The details in this resource is for guidance only. Influences such as own security policies, requirements, and threat models should be considered when adopting this type of guidance.

• • •

Secure cipher suites for the ssl_cipher_list configuration

Thu 03 May 2018 | security

Default SSL cipher suites

With the release of SFTPPlus 3.32.0, we have changed the default set of SSL cipher suites for the Local Manager and the HTTPS service. As with any product that runs in many environments, SFTPPlus uses a default set of SSL-related parameters that are a compromise between security and compatibility. Up to SFTPPlus version 3.31.0, we were using this highly compatible, but still reasonably secure, default set:

ssl_cipher_list = 'ALL:!RC4:!DES:!3DES:!MD5:!EXP'

Starting with SFTPPlus version 3.32.0, we strongly emphasize our focus on security. The default setting for OpenSSL cipher suites in SFTPPlus is now:

ssl_cipher_list = 'HIGH:!PSK:!RSP:!eNULL:!aNULL:!RC4:!MD5:!DES:!3DES:!aDH:!kDH:!DSS'

Notice that we now derive our default set from the HIGH set of cipher suites in OpenSSL. As improved cipher suites are added in OpenSSL, and new vulnerabilities are discovered and patched for, this specific set of cipher suites will be continuously improved upon by the OpenSSL developers. By keeping OpenSSL libraries updated through OS-specific procedures, our customers' SFTPPlus installations will benefit from these upstream improvements.

This new default set of safe cipher suites is also encapsulated within the secure configuration option, so you may simply use the following:

ssl_cipher_list = secure

Testing your HTTPS server

In ensuring that the secure configuration option for ssl_cipher_list in SFTPPlus is actually secure enough for your needs, you should try auditing your HTTPS setup using the Qualys SSL Labs' SSL Server Test.

This is a free online service that performs an analysis of the configuration of any public HTTPS server listening on the standard 443 port. When results are submitted, a grade from A to F is provided. You can read more about Qualys' SSL Server Rating Guide in their GitHub wiki here.

Assuming you are using a modern version of OpenSSL, such as version 1.0.2, a default installation of SFTPPlus version 3.32.0 will currently yield a score of B. This is because we still care about compatibility with older clients in the default setup.

However, you might want to go beyond that and try to obtain a Qualys SSL Server Rating of A for your SFTPPlus installation. A set of ciphers suites that sacrifices a bit of compatibility to reach the Grade A rating would be:

| ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:
| ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384

Keep in mind that clients such as Internet Explorer on Windows XP, Java 6.x clients and Android 2.x users will not be able to access your server any more. For guiding you in picking the best cipher suites for your OpenSSL version, we recommend Mozilla's SSL Configuration Generator.

Another way to increase the security of your HTTPS setup is to disable support for older SSL methods such as TLS v1.0 and v1.1. While as of April 2018 there are no known vulnerabilities specific to TLS v1.0 or v1.1, supporting only the newest standard will ensure better security through the use of more modern cipher suites.

In seeking the perfect balance between security and compatibility, you may wish to consider configuring only some services to have stricter cipher suites and/or TLS policy. These could be administration facing services such as the SFTPPlus Local Manager. For other services, you may need to adopt a policy that allows a compatible set as the default value for services such as HTTPS.

For example, here's the difference between secure and compatible SSL methods. Note that the secure method does not provide backward compatibility:

Secure methods:
ssl_allowed_methods = tlsv1.2

This indicates that the server will only support TLS v1.2, and will not communicate with a client that supports only TLS v1.0 and/or TLS v1.1.

A more lenient set of SSL methods would be:

Compatible methods:
ssl_allowed_methods = tlsv1.0 tlsv1.1 tlsv1.2

This indicates that the server will support clients using TLS version v1.2 and can communicate with clients that only support TLS v1.0 and/or TLS v1.1.

Beware that not supporting TLS v1.0 would mean dropping support for clients from older operating systems such as RHEL 5, SLES 11 and Solaris 10, as well as obsolete platforms like Android 4.0-4.3, Internet Explorer on Windows Vista and Win Phone 8.0, Java 7 clients. Anything using the old OpenSSL 0.9.8 version is also included.

Therefore, you may need to reach a compromise in choosing the ssl_allowed_methods too, and only restrict the SSL methods for the more sensitive services such as Local Manager.

Evaluating SFTPPlus MFT

SFTPPlus MFT Server supports FTP, Explicit FTPS, Implicit FTPS, SFTP, SCP, HTTP and HTTPS.

Install SFTPPlus MFT today either as an on-premise solution supported on Windows, Linux, Solaris, AIX, HP-UX, MacOS and FreeBSD or on the cloud as Docker containers, AWS instances etc.

Email us at sales@proatria.com to start your evaluation version today.

For licensing queries please contact sales@proatria.com.

Addendum

This resource is written as of SFTPPlus version 3.33.0.

The details in this resource is for guidance only. Influences such as own security policies, requirements, and threat models should be considered when adopting this type of guidance.

• • •

Security Advisory on CSRF and XSS attacks affecting HTTP/HTTPS services

Tue 24 April 2018 | security

Customers using HTTP/HTTPS services should upgrade to 3.33.0

SFTPPlus update against CSRF and XSS

The SFTPPlus version 3.33.0 release is a major security update for the HTTP/HTTPS file transfer service and the SFTPPlus Local Manager service.

This update addresses the vulnerabilities concerning Cross-Site Request Forgery Attacks and Cross-Site Scripting Attacks on the aforementioned services.

Customers that are not accessing SFTPPlus services from a web browser are not exposed to these vulnerabilities.

In addition, customers utilizing FTP, FTPS, SFTP, and SCP protocols are not affected.

We recommend that all affected customers should upgrade to the SFTPPlus 3.33.0 release, since it includes fixes for Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities.

To mitigate the risk in older SFTPPlus versions, we recommend the following actions:

  • Do not have other tabs or windows open in the same browser while being authenticated to a SFTPPlus service, or
  • Use a private window or a separate profile / container.
  • Log out from the SFTPPlus service as soon as your have completed your tasks.

The aforementioned security issues were due to ProAtria not performing a security audit of SFTPPlus, when used from an interactive browser.

Taking into consideration the current challenges of HTTP security, we have now updated our security practices and implemented automated tests. These tests will cover the HTTP-specific attacks against SFTPPlus when accessed from a web browser.

SFTPPlus continues to be focused on automated, non-interactive file transfers in a secure fashion. Our security practices have been designed to make this a reality for our clients.

You can check the rest of the 3.33.0 release notes here.

• • •

Protecting your SFTPPlus configuration against SWEET32

Fri 02 March 2018 | security

Details of attacks on DES (Data Encryption Standard) and Triple DES, Birthday attacks on 64-bit block ciphers were released with the CVE ID of CVE-2016-2183. Read more about the CVE details here).

DES and Triple DES ciphers, used in TLS and SSH protocols and in subsequent relation also used in file transfer products, have a birthday bound of approximately four billion blocks. This makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode. This attack is otherwise known as the "SWEET32" attack.

If your SFTPPlus configuration is vulnerable to these attacks, you will need to ensure that you are on the latest SFTPPlus MFT version 3.xx.xx series and use the following custom configurations outlined below.

From SFTPPlus version 3.31.0, you can use the secure cipher option for the ssl_cipher_list and ssh_cipher_list configurations. The special keyword secure contains all the algorithms that we currently consider secure.

From version 3.32.0, the default secure ssl_cipher_list configuration was updated to HIGH:!PSK:!RSP:!eNULL:!aNULL:!RC4:!MD5:!DES:!3DES:!aDH:!kDH:!DSS where HIGH is defined by upstream OpenSSL.

In this way, when updating the OpenSSL library, you will automatically get an update in the list of secure ciphers without the need to update SFTPPlus.

Exclude DES and Triple-DES from the SSL Cipher List

SFTPPlus relies on OS crypto for the SSL/TLS portion. There is no need to run this configuration if your operating system has already deprecated the use of DES/3DES.

To check if your OpenSSL has DES and 3DES ciphers enabled, check the output of openssl ciphers -v 'DES:3DES'

If DES/3DES are still available in OpenSSL, disable them for SFTPPlus by ensuring that the ssl_cipher_list configuration for the service has the value :!DES:!3DES: added in the list. This will exclude the use of DES and Triple DES as indicated by the ! mark.

For more details about this configuration, please refer to the ssl cipher list configuration option here.

Exclude DES and Triple-DES from the SSH Cipher List

In the ssh_cipher_list configuration for the service, add the value :!DES:!3DES: to exclude the use of DES and Triple DES. There is no need to run this configuration if your operating system has already deprecated the use of DES/3DES.

More details about this configuration for the ssh cipher list here.

Only use TLS 1.2 (for services utilizing TLS/SSL)

In the ssl_allowed_methods option for the associate service, add the value tlsv1.2 to use TLS v1.2.

Ensure that tlsv1.2 is the only value in ssl_allowed_methods so that this component will use TLS v1.2 during the secure communication handshake.

DES ciphers are used in TLS 1.0 and TLS 1.1, but they are not available in TLS 1.2 as noted in RFC 5469.

In the event that you still require communication with services still utilizing TLS 1.1 and/or TLS 1.0, you may add tlsv1.1 and/or tlsv1.0 providing that the DES and Triple-DES ciphers are excluded in the first instance.

More details about this configuration are available in our documentation here.

Confirming the SFTP configurations using openssl s_client

You can use openssl s-client, a diagnostic tool.

Connect via openssl s_client -cipher 3DES -connect site:port to check that 3DES is disabled.

To check the TLS version, the output will also reveal which TLS version is being used:

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1519733544
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Confirming the FTPS configurations using curl

If you wish to use curl instead, there are two tests that you can run once these options are saved in your development lab.

Run curl with the excluded ciphers DES-CBC3-SHA and check that you cannot complete the operation.

curl -v --ftp-ssl -k ftp://user@domain:port --ciphers DES-CBC3-SHA

Run curl with the allowed TLS version and check that you are able to complete the operation.

curl -v --ftp-ssl -k ftp://user@domain:port --tlsv1.2

Using --tlsv1.0 should fail the operation.

Confirming the configuration from the log

SFTPPlus configurations can also be confirmed via the log. For this issue, it should be done more as a supplementary step rather than as a sole point of confirmation of your configuration changes.

From the client-shell:

| SFTPPlus (3.30.0) file transfer client shell
| > connect
| 20140 2018-02-04 10:23:03 uuid Process 0.0.0.0:0 Connecting resource "ftpse".
| 10102 2018-02-04 10:23:03 uuid user localhost:10021 Location ftpse connected
  to the FTP server.
| 10106 2018-02-04 10:23:03 uuid user localhost:10021 Connection to FTP/FTPS
  was authenticated for location ftpse. Protected using TLSv1.2
  ECDHE-RSA-AES256-GCM-SHA384.
  Server certificate: (4) C=UK/O=ACME/CN=myserver.

From the server-side log:

| 10067 2018-02-04 10:23:03 Process Unknown 127.0.0.1:55555 Client initiating
  authentication as "user".Command protected using TLSv1.2
  ECDHE-RSA-AES256-GCM-SHA384.
  Client certificate: (2) C=GB/O=ACME/CN=myclient

The logs above indicate that TLSv1.2 was used alongside the list of ciphers ECDHE-RSA-AES256-GCM-SHA384. Please note that just because TLSv1.2 is used, it does not indicate that other TLS versions are disabled.

Evaluating SFTPPlus MFT

Security is a priority to SFTPPlus MFT.

With our software, not only will you have access to a secure file transfer product, but our specialist consultants are available for your secure file transfer needs.

SFTPPlus MFT Server supports FTP, Explicit FTPS, Implicit FTPS, SFTP, SCP, HTTP and HTTPS.

SFTPPlus MFT is available as an on-premise solution supported on Windows, Linux, AIX, OS X, Solaris, HP-UX, and FreeBSD. Please add your email below to sign up for an evaluation trial.

• • •

SFTPPlus is not affected by the Meltdown and Spectre Vulnerabilities

Wed 21 February 2018 | article security

Security advisory about the Meltdown and Spectre are vulnerabilities

SFTPPlus is not affected by the Meltdown and Spectre Vulnerabilities

Meltdown and Spectre are vulnerabilities based on CPU design flaws which require the attacker to be able to execute application code which is created to exploit these vulnerabilities.

SFTPPlus secure file transfers does not allow any arbitrary application code execution. It will only read and write data without executing it. This is standard behaviour for doing file transfers over FTPS or HTTPS.

The SSH implementation of SFTPPlus is only allowed for the SFTP and SCP protocols. Shell access or any other SSH execution is denied. The SCP protocol is implemented using an embedded SCP protocol and no external scp application is called.

For the purpose of managed file transfers, SFTPPlus allows the execution of pre-configured application code with the pre and post transfer hooks. As long as the SFTPPlus is configured with trusted applications, this does not constitute an attack vector.

If you are running SFTPPlus Itanium architectures, for example with HPUX, you are not affected by these vulnerabilities, no mater what other software is in used on those systems.

SPARC architecture (example with Solaris 10) and POWER (example with AIX 7.1) are affected by the Spectre, while not being affected by Meltdown.

The embedded devices based on ARM64 CPUs are also affected by Spectre.

Administrators using the SFTPPlus MFT Client with pre and post transfer hooks should review the configuration and make sure that the hooks will trigger calls to trusted applications.

This article was written as of SFTPPlus version 3.31.0.

• • •