Articles from security category

SFTPPlus Release 3.32.0

Thu 05 April 2018 | security release

We are pleased to announce the latest release of SFTPPlus version 3.32.0.

New Features

  • SFTP and SCP file transfer services can now listen on IPv6 addresses and accept connections from IPv6 clients. [server-side][sftp][scp] [#1924]
  • The HTTP and HTTPS service now accepts creating new folders with the HTTP PUT and WebDAV MKCOL methods. [server-side][http][https] [#4828-1]
  • The HTTP and HTTPS service now accepts deleting folders and files with the HTTP DELETE method. [server-side][http][https] [#4828-2]
  • The HTTP and HTTPS service now accepts file uploads using the HTTP PUT method. [server-side][http][https] [#4828]

Defect fixes

  • FTP and FTPS client side transfer can now transfer files larger than a few bytes from a remote FTP/FTPS server and to the local filesystem. This issue was introduced in SFTPPlus version 3.20.0. This defect was not affecting uploading / pushing files to a remote FTP/FTPS server. [client-side][ftp][ftps] [#4754]
  • The Developer Documentation for the HTTP authentication method was updated to make it clear the expected repose codes for the authentication server. [server-side] [#4758]
  • The JavaScript UI for the HTTP and HTTPS file transfer services no longer limit the file size to 256MB. This defect was introduced in 3.31.0. [server-side][http][https] [#4815]

Deprecations and Removals

  • The default secure ssl_cipher_list configuration was updated to HIGH:!PSK:!RSP:!eNULL:!aNULL:!RC4:!MD5:!DES:!3DES:!aDH:!kDH:!DSS. The previous value was ALL:!RC4:!DES:!3DES:!MD5:!EXP. In this way, when updating the OpenSSL library you will automatically get an update in the list of secure ciphers, without the need to update SFTPPlus. [security][ftps][https][client-side][server-side] [#4748]
  • The event (ID 40025) that was emitted when an unknown error was generated by the HTTP service during a JSON API request was removed. It has been replaced with event ID 40003. [server-side][http][https] [#4828]

You can check the full release notes here.

• • •

Protecting your SFTPPlus configuration against SWEET32

Fri 02 March 2018 | security

Details of attacks on DES (Data Encryption Standard) and Triple DES, Birthday attacks on 64-bit block ciphers were released with the CVE ID of CVE-2016-2183. Read more about the CVE details here).

DES and Triple DES ciphers, used in TLS and SSH protocols and in subsequent relation also used in file transfer products, have a birthday bound of approximately four billion blocks. This makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode. This attack is otherwise known as the "SWEET32" attack.

If your SFTPPlus configuration is vulnerable to these attacks, you will need to ensure that you are on the latest SFTPPlus MFT version 3.xx.xx series and use the following custom configurations outlined below.

From SFTPPlus version 3.31.0, you can use the secure cipher option for the ssl_cipher_list and ssh_cipher_list configurations. The special keyword secure contains all the algorithms that we currently consider secure.

From version 3.32.0, the default secure ssl_cipher_list configuration was updated to HIGH:!PSK:!RSP:!eNULL:!aNULL:!RC4:!MD5:!DES:!3DES:!aDH:!kDH:!DSS where HIGH is defined by upstream OpenSSL.

In this way, when updating the OpenSSL library, you will automatically get an update in the list of secure ciphers without the need to update SFTPPlus.

Exclude DES and Triple-DES from the SSL Cipher List

SFTPPlus relies on OS crypto for the SSL/TLS portion. There is no need to run this configuration if your operating system has already deprecated the use of DES/3DES.

To check if your OpenSSL has DES and 3DES ciphers enabled, check the output of openssl ciphers -v 'DES:3DES'

If DES/3DES are still available in OpenSSL, disable them for SFTPPlus by ensuring that the ssl_cipher_list configuration for the service has the value :!DES:!3DES: added in the list. This will exclude the use of DES and Triple DES as indicated by the ! mark.

For more details about this configuration, please refer to the ssl cipher list configuration option here.

Exclude DES and Triple-DES from the SSH Cipher List

In the ssh_cipher_list configuration for the service, add the value :!DES:!3DES: to exclude the use of DES and Triple DES. There is no need to run this configuration if your operating system has already deprecated the use of DES/3DES.

More details about this configuration for the ssh cipher list here.

Only use TLS 1.2 (for services utilizing TLS/SSL)

In the ssl_allowed_methods option for the associate service, add the value tlsv1.2 to use TLS v1.2.

Ensure that tlsv1.2 is the only value in ssl_allowed_methods so that this component will use TLS v1.2 during the secure communication handshake.

DES ciphers are used in TLS 1.0 and TLS 1.1, but they are not available in TLS 1.2 as noted in RFC 5469.

In the event that you still require communication with services still utilizing TLS 1.1 and/or TLS 1.0, you may add tlsv1.1 and/or tlsv1.0 providing that the DES and Triple-DES ciphers are excluded in the first instance.

More details about this configuration are available in our documentation here.

Confirming the SFTP configurations using openssl s_client

You can use openssl s-client, a diagnostic tool.

Connect via openssl s_client -cipher 3DES -connect site:port to check that 3DES is disabled.

To check the TLS version, the output will also reveal which TLS version is being used:

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1519733544
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Confirming the FTPS configurations using curl

If you wish to use curl instead, there are two tests that you can run once these options are saved in your development lab.

Run curl with the excluded ciphers DES-CBC3-SHA and check that you cannot complete the operation.

curl -v --ftp-ssl -k ftp://user@domain:port --ciphers DES-CBC3-SHA

Run curl with the allowed TLS version and check that you are able to complete the operation.

curl -v --ftp-ssl -k ftp://user@domain:port --tlsv1.2

Using --tlsv1.0 should fail the operation.

Confirming the configuration from the log

SFTPPlus configurations can also be confirmed via the log. For this issue, it should be done more as a supplementary step rather than as a sole point of confirmation of your configuration changes.

From the client-shell:

| SFTPPlus (3.30.0) file transfer client shell
| > connect
| 20140 2018-02-04 10:23:03 uuid Process 0.0.0.0:0 Connecting resource "ftpse".
| 10102 2018-02-04 10:23:03 uuid user localhost:10021 Location ftpse connected
  to the FTP server.
| 10106 2018-02-04 10:23:03 uuid user localhost:10021 Connection to FTP/FTPS
  was authenticated for location ftpse. Protected using TLSv1.2
  ECDHE-RSA-AES256-GCM-SHA384.
  Server certificate: (4) C=UK/O=ACME/CN=myserver.

From the server-side log:

| 10059 2019-06-18 09:42:36 ftp-1 johnd 127.0.0.1:48218
  User successfully logged on "/users/John_D" as "/".
  Command protected using TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305.
  Client certificate: (2) C=GB/O=ACME/CN=myclient

The logs above indicate that TLSv1.2 was used alongside the list of ciphers ECDHE-RSA-AES256-GCM-SHA384. Please note that just because TLSv1.2 is used, it does not indicate that other TLS versions are disabled.

Evaluating SFTPPlus MFT

The features listed in this article are just a selected few out of many integration and configuration options that are available today. Feel free to talk to the Support team about your requirements with file transfer software.

SFTPPlus MFT Server supports FTP, Explicit FTPS, Implicit FTPS, SFTP, SCP, HTTP and HTTPS.

SFTPPlus MFT is available as an on-premise solution supported on Windows, Linux, and macOS.

It is also available on the cloud as Docker containers, AWS or Azure instances and many other cloud providers.

Request a trial using the form below.

• • •

SFTPPlus is not affected by the Meltdown and Spectre Vulnerabilities

Wed 21 February 2018 | article security

Security advisory about the Meltdown and Spectre are vulnerabilities

SFTPPlus is not affected by the Meltdown and Spectre Vulnerabilities

Meltdown and Spectre are vulnerabilities based on CPU design flaws which require the attacker to be able to execute application code which is created to exploit these vulnerabilities.

SFTPPlus secure file transfers does not allow any arbitrary application code execution. It will only read and write data without executing it. This is standard behaviour for doing file transfers over FTPS or HTTPS.

The SSH implementation of SFTPPlus is only allowed for the SFTP and SCP protocols. Shell access or any other SSH execution is denied. The SCP protocol is implemented using an embedded SCP protocol and no external scp application is called.

For the purpose of managed file transfers, SFTPPlus allows the execution of pre-configured application code with the pre and post transfer hooks. As long as the SFTPPlus is configured with trusted applications, this does not constitute an attack vector.

If you are running SFTPPlus Itanium architectures, for example with HPUX, you are not affected by these vulnerabilities, no mater what other software is in used on those systems.

SPARC architecture (example with Solaris 10) and POWER (example with AIX 7.1) are affected by the Spectre, while not being affected by Meltdown.

The embedded devices based on ARM64 CPUs are also affected by Spectre.

Administrators using the SFTPPlus MFT Client with pre and post transfer hooks should review the configuration and make sure that the hooks will trigger calls to trusted applications.

This article was written as of SFTPPlus version 3.31.0.

Evaluating SFTPPlus MFT

The features listed in this article are just a selected few out of many integration and configuration options that are available today. Feel free to talk to the Support team about your requirements with file transfer software.

SFTPPlus MFT Server supports FTP, Explicit FTPS, Implicit FTPS, SFTP, SCP, HTTP and HTTPS.

SFTPPlus MFT is available as an on-premise solution supported on Windows, Linux, and macOS.

It is also available on the cloud as Docker containers, AWS or Azure instances and many other cloud providers.

Request a trial using the form below.

• • •

SFTPPlus Release 3.31.0

Tue 20 February 2018 | security release

We are pleased to announce the latest release of SFTPPlus version 3.31.0.

New Features

  • The option to enforce unique names for uploaded files is now available for the HTTP and HTTPS file transfer services. [server-side] [#4465]
  • A SOCKS version 5 (SOCKS5) proxy without authentication can now be used to connect to remote SFTP and SCP servers. [client-side][sftp][scp] [#4546]
  • A new event handler option is added in order to send filtered events to standard output. This can be used when running SFTPPlus in Docker or with other process supervisors. [#4645]
  • The option to enforce unique names for uploaded files is now available for the FTP, Implicit FTPS and Explicit FTPS protocols. [server-side] [#4650]
  • The file-dispatcher event handler can now be configured to automatically create destination folders. [#4652]
  • The close event description for SFTP and SCP client-side and server-side connection now contains the encryption used to protect connection. [client-side][server-side][sftp][scp] [#4668]
  • The HTTP and HTTPS file transfer services now allow uploading multiple files and adding files via drag and drop. [server-side][http][https] [#4673]
  • Support for Red Hat Enterprise Linux versions 7.0 to 7.3 with OpenSSL 1.0.1 was readded alongside support for RHEL 7.4 and newer using OpenSSL 1.0.2. [#4691]
  • A new secure configuration value is available for the ssl_cipher_list and ssh_cipher_list as part of the FTPS, SFTP, SCP, and HTTPS file transfer services. [security][client-side][server-side] [#4727]

Defect fixes

  • The transfer for SFTP and SCP locations is no longer interrupted when the remote server is requesting a SSH re-key exchange. This was affecting client-side transfers of files bigger than 1GB, as this is the point where some servers are re-keying. This is when either side forces the other to run the key-exchange phase which changes the encryption and integrity keys for the session. [client-side] [#4302]
  • It is now possible to stop the client shell at any time by pressing the Ctrl+C key combination. In previous versions this was not available while an operation was in progress. [#4626]
  • The AIX 7.1 build of SFTPPlus was updated to work with older OpenSSL versions. Previous versions of SFTPPlus (from 3.27.0 to 3.30.0) on AIX 7.1 required OpenSSL 1.0.2k or newer. [#4696]
  • SFTP and SCP client and server side can now handle key exchange process even for peers which advertise their SSH version string with trailing spaces. This can happen for Bitvise SSHD Server when configured to omit its version. [client-side][server-side][sftp][scp] [#4718]
  • The documentation for expression matching was updated to explain that regular expression matching is done as a search operation. For an exact match, use the start and end regex anchors. [#4724]

Deprecations and Removals

  • Events with ID 40015 and 40016 were replaced by already existing event with ID 40022. Event 40022 is now the only one emitted when there are errors during an upload operation. [server-side][http] [#4465]
  • The default configuration for SFTP, SCP, FTPS, and HTTPS connections was updated to exclude the 3DES cipher in order to prevent SWEET32 attacks. To not break backward compatibility for existing installations, this change affects only new installations. Existing installations will need to be manually updated to exclude the 3DES based ciphers. [#4727]

You can check the full release notes.

• • •

Choosing the best protocols for securing data and file transfers

Mon 22 January 2018 | article security

Why read this guide

In order to implement a secure managed file transfer system, you will need a good understanding of the supported services and protocols involved.

This article provides an overview of the supported protocols, including the advantages and disadvantages of these protocols as well as situations for the use of these services.

The first part focuses on protocols that we recommend you reconsider in using and the rest of the article is followed by services that we do recommend.

Protocols to reconsider when securing data and file transfers

The following, FTP and HTTP, are covered below as they both pose two services that offer the least advantage in terms of securing data and file transfers.

File Transfer Protocol (FTP)

Shortform for File Transfer Protocol, the objectives of FTP are 1) to promote sharing of files (computer programs and/or data), 2) to encourage indirect or implicit (via programs) use of remote computers, 3) to shield a user from variations in file storage systems among hosts, and 4) to transfer data reliably and efficiently.

FTP has had a long evolution over many years starting with its beginnings published as RFC 114 on 16 April 1971. Over time there has been other forms of file transfer protocols made available as there had been vulnerabilities and weaknesses with FTP such as:

  • Brute force attacks which is attacking via computing credential combinations.
  • FTP bounce attacks which is an exploit enabling an attacker to use the PORT command to request access to ports indirectly through the use of the target machine as a man in the middle request.
  • Packet capture through the use of packet capture tools.
  • Port stealing where traffic directed at a port is stolen or intercepted by an attacker.
  • Spoofing attack where the attacker may use a tool to try multiple instances of an IP address in order to assume the correct, and therefore spoofing, the host address of the target machine.
  • Username enumeration is part of the discovery, or enumeration, process prior to an attack of a network or service by obtaining usernames associated with the service.

There are also limitations to the protocol. For example, there is no ability to encrypt data on transit. Data in transit can be sniffed using freely available tools since the transmissions of usernames, passwords, commands and other data is not encrypted. An attacker can run a packet sniffer over the network can sniff out FTP credentials. In addition, there is no integrity checking of files to ensure that data integrity remains since this is not included as a feature of the protocol.

Situations to use the FTP service:

There is a chance that your initial file transfer system may even be in FTP, depending on the age of the system. However, FTP has many security weaknesses and vulnerabilities as mentioned previously.

Those wishing to continue to use FTP and to do so in a secure manner may find themselves integrating other software to ensure security, creating additional scripts or taking on board additional maintenance. For example, there is no built-in integrity check however scripting work can be done to create a checksum integrity checking process and added at the end of a file transfer. There is also further additional overhead in ensuring that FTP remains secure such as integration with other applications for additional layers of security.

The FTP service is accessible by enabling the service and then configuring the address, port, passive port range, passive address, idle data connection timeout and more.

Hypertext Transfer Protocol (HTTP)

HTTP, shortform for Hypertext Transfer Protocol, is an application-level protocol for distributed, collaborative, hypermedia information systems. It is a generic, stateless, protocol which can be used for many tasks.

HTTP, in use by the World-Wide Web global initiative since 1990, is a protocol used in many tasks related to common usage of the web such as browsing websites. This is relevant to SFTPPlus since we offer a browser-based file management utility.

Without SSL/TLS, there is no way to encrypt data in transit. Other downsides to HTTP, in the context of SFTPPlus, include:

  • Packet capture through the use of packet capture tools.
  • Man-in-the-middle attack where the attacker intercepts and relays false malicious content between two parties.
  • Credentials are sent in a plain text encoding when using the SFTPPlus HTTP Basic Auth API.

Situations to use the HTTP service:

HTTP may be used internally within a highly secured network where there are already mechanisms in place to protect the environment.

We offer HTTP based micro-services and endpoints as part of our public API. In this case, the API is used in conjunction with other security mechanisms in place for the environment.

The HTTP service is accessible by enabling the service and then configuring the address, port, idle connection timeout and maximum concurrent connections.

Protocols to consider when securing data and file transfers

The following are protocols and services that we do recommend for securing data and file transfers. This is not an exhaustive list.

Implicit FTPS or FTPS Implicit SSL (FTPIS)

FTPIS, or implicit FTPS, is the use of the FTP protocol where secure data transfer is invoked via SSL as soon as the connection starts or after the OK reply is sent by the server. In implicit mode, an FTPS client is expected to “immediately expected to challenge the FTPS server with a TLS ClientHello message. If such a message is not received by the FTPS server, the server should drop the connection.” This means that the use of SSL is implied. This is illustrated in the diagram above.

The advantage is that this service is safer than the use of the FTP protocol due to implementing SSL meaning that data transmission is encrypted.

Implicit FTPS or FTPS Implicit SSL (FTPIS)

Situations to use the FTPIS service:

Use FTPIS when you wish to use a more secure FTP for file transfer and where SSL does not need to be invoked prior to login. However, if possible, use FTPES as described further below.

Explicit FTPS or FTPS with Explicit SSL (FTPES)

In explicit mode, an FTPS client must “explicitly request” security from an FTPS server and then step up to a mutually agreed encryption method. If a client does not request security, the FTPS server can either allow the client to continue in insecure mode or refuse the connection.

The advantage is that this service is safer than the use of the FTP protocol due to implementing SSL. Prior to user connection, both the server and client must negotiate the level of security used.

Explicit FTPS or FTPS Explicit SSL (FTPES)

Situations to use the FTPES service:

Use FTPES when you wish to use a more secure FTP for file transfer and where SSL needs to be invoked prior to login. However it should be noted that this not ensure that each and every session and data transfer is secure. FTPES is only a tool allowing the client/server to negotiate the accepted level of security with each session.

Notes for both FTPES and FTPIS

Since both are FTPS (FTP over TLS/SSL), they share some common advantages as listed, non-exhaustively, below:

  • The advantages afforded by SSL is used - certificate authorities, certification revocation lists, transmission encryption and more.
  • Certain regulations and compliance obligations may require data transmissions to be encrypted but it should be noted the difference between FTPES and FTPIS when it comes to which stage the encryption occurs.
  • The protocols make use of TLS (Transport Layer Security) encryption. It should be noted that in SFTPPlus, the TLS version can be used

SSH File Transfer Protocol or Secure File Transfer Protocol (SFTP)

SFTP is a network protocol that allows for file access, transfer and management capabilities over the SSH (Secure Shell) protocol channel.

The advantages for SFTP include:

  • Designed to be used to implement a secure remote file system service and also a secure file transfer service.
  • Runs over a secure channel, SSH, so that the server has already authenticated the client. The identity of the client user should also be available to the protocol.
  • Data is encrypted based on a configured cipher list agreed upon by the server and client.
  • There is the option to implement user access via SSH keys only or via a combination of password and SSH keys. If authenticating via SSH keys, the client does not need to go through password recollection so long as the SSH key is correctly configured on the server.
  • Certain regulations and compliance obligations may require data transmissions to be encrypted.

The SFTP protocol follows a simple request-response model where each request and response contains a sequence number and multiple requests may be pending simultaneously.

Situations to use the SFTP service:

The protocol assumes that both ends of the connection have been authenticated and that the connection has privacy and integrity features already in place and that security issues are left to the underlying transport protocol.

Since the protocol provides file system management feature, the server must have the correct access controls in place and implement correct authorization and enforce access controls.

In this case, when you implement SFTP ensure that you are doing so within an AAA (authorization, authentication, auditing/accounting) security design framework on SFTPPlus.

HTTP over SSL/TLS (HTTPS)

HTTPS, shortform for HTTP over TLS, provides security measures in using HTTP via SSL and its successor, TLS.

The HTTP protocol is further secured via SSL and its successor, TLS (Transmission Layer Security), thus this is referred to as HTTPS. HTTPS provides end-to-end security for browser-based applications.

Other advantages to using HTTPS:

  • TLS can harden TCP against Man-in-the-middle attacks where clients and servers exchange certificates which are issued and verified by a trusted third party called a certificate authority (CA).
  • HTTP Public Key Pinning (HPKP) allows HTTPS website to overcome impersonation via the use of fraudulent certificates.
  • Certain regulations and compliance obligations may require data transmissions to be encrypted

Situations to use the HTTPS service:

Since the SFTPPlus file management utility is accessible via the web browser, the HTTPS service is a more secure alternative compared to HTTP.

HTTPS is a must especially when the resource is going to be public (Internet) facing.

The HTTPS service is accessible by enabling the service and then configuring the SSL/TLS options such as the SSL cipher list, allowed SSL/TLS methods, SSL certificate, SSL key, certificate authority, certification revocation list and more.

Conclusion and next steps

The application of one protocol over the other does not immediately guarantee security. Please consider these services merely as a layer within multiple others when implementing a secure managed file transfer solution.

Since features are constantly changed, we did not touch on any specifics within SFTPPlus. Please consult our documentation for the configuration and operations information, as well as practical users guides.

This resource is written as of SFTPPlus version 3.29.0.

Evaluating SFTPPlus MFT

The features listed in this article are just a selected few out of many integration and configuration options that are available today. Feel free to talk to the Support team about your requirements with file transfer software.

SFTPPlus MFT Server supports FTP, Explicit FTPS, Implicit FTPS, SFTP, SCP, HTTP and HTTPS.

SFTPPlus MFT is available as an on-premise solution supported on Windows, Linux, and macOS.

It is also available on the cloud as Docker containers, AWS or Azure instances and many other cloud providers.

Request a trial using the form below.

• • •