lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 19 May 2014 14:43:45 +0200
From: Micha Borrmann <micha.borrmann@...s.de>
To: <bugtraq@...urityfocus.com>
Subject: FTP Rush: missing X.509 validation (FTP with TLS)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:         SYSS-2014-002
Product:             FTP Rush
Vendor:              Wing FTP Software
Affected Version(s): v2.1.8
Tested Version(s):   v2.1.8 (Windows 7 32 bit and Windows 8.1 64 bit)
Vulnerability Type:  X.509 validation
Risk Level:          Medium
Solution Status:
Vendor Notification: 2014-04-04
Solution Date:
Public Disclosure:   2014-05-19
CVE Reference:       Not assigned, (but similiar to CVE-2012-6606)
Author of Advisory:  Micha Borrmann (SySS GmbH)

Overview:
FTP Rush does not validating X.509 certificates, if FTP with TLS is used

Vulnerability Details:
A user can not recognize an easy to perform
man-in-the-middle attack, because the client is not validate the X.509
certificate from the FTP server. In an untrusted networking
environment (like a Wifi hotspot), the current FTP AUTH TLS connection
with FTP Rush should be classified as not encrypted.

Proof of Concept (PoC): not needed

Solution: use another client for FTP with AUTH TLS

Disclosure Timeline:
April 3, 2014 - Vulnerability discovered
April 4, 2014 - Vulnerability reported to vendor
May  19, 2014 - Vulnerability disclosure, after a period of 45 days for
a responsible disclosure

Credits:
Security vulnerability found by Micha Borrmann of the SySS GmbH.

Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory
may be updated in order to provide as accurate information as
possible. The latest version of this security advisory is available on
the SySS web site
(https://www.syss.de/aktuelles/advisories/advisory-ftp-rush/)

Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJTefx8AAoJEPxn66kbURKKFw8P/R1/D7b8GoZTQtPe2Rj/w6Sx
KakOOZ5IOEgbZP9pl6vOQBCCOWfipJFgVCSoF9BYUOJ9k/fM7inQZl7e4BRBIfGR
2bJveIe+VScTnDQ+yt56TKo6jSMvdszwcBrNTTI+cTn1CvlWBJiDAjHj6SWDCWRe
47tT7LMtOCL8bA/EAacfxWxAJFv2Zu45rkSqGXvKxz987Ss1CuuMUHQ6BzyggcCS
GvvfojwvNDOK77C+uYAdnqcyaWmepX++T9FmQbvjOulrysN4LamvdfpzlOt1ZxTe
Mcw03Y/ERTrEZkNfahk98LwklceImp0ZozJWazmFaBwEUuKGXJNeBniq+RE7PORq
e1cZ5zBsD4xiO3OoFwzV/GvP/2/O/I4hPI9WbfhjaZ2A1bGEv3hofy4HWPUKk8w3
aclr7pyY8CqhwY6ZPzV1euhpM2sVzfUTdf2NcNVY6Ra3dbj+QkqgYI6xyRtXSEvS
cLElul4ihD9fd0asY6Iczl6bXLUj5tWAHlYR0hz59NJiJBFlWgf+bf44SqmCel+x
qh1P66/CbFWjWvit60FmYL+nPYxjXc2ygo7bYu84uwzs06z/zcuVVlJSpSuUl2WG
dbr9dTL+aQys7zAbLCsh5DnqRmWiMNM4z/V+CRiZuZLRaPVlclPJTeBAxSeZpOuP
MwOf6Izjw169Ih5Dw1dT
=pJ3c
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ