FTP Rush: missing X.509 validation (FTP with TLS)

Type securityvulns
Reporter Securityvulns
Modified 2014-06-02T00:00:00



Advisory ID: SYSS-2014-002 Product: FTP Rush Vendor: Wing FTP Software Affected Version(s): v2.1.8 Tested Version(s): v2.1.8 (Windows 7 32 bit and Windows 8.1 64 bit) Vulnerability Type: X.509 validation Risk Level: Medium Solution Status: Vendor Notification: 2014-04-04 Solution Date: Public Disclosure: 2014-05-19 CVE Reference: Not assigned, (but similiar to CVE-2012-6606) Author of Advisory: Micha Borrmann (SySS GmbH)

Overview: FTP Rush does not validating X.509 certificates, if FTP with TLS is used

Vulnerability Details: A user can not recognize an easy to perform man-in-the-middle attack, because the client is not validate the X.509 certificate from the FTP server. In an untrusted networking environment (like a Wifi hotspot), the current FTP AUTH TLS connection with FTP Rush should be classified as not encrypted.

Proof of Concept (PoC): not needed

Solution: use another client for FTP with AUTH TLS

Disclosure Timeline: April 3, 2014 - Vulnerability discovered April 4, 2014 - Vulnerability reported to vendor May 19, 2014 - Vulnerability disclosure, after a period of 45 days for a responsible disclosure

Credits: Security vulnerability found by Micha Borrmann of the SySS GmbH.

Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS web site (https://www.syss.de/aktuelles/advisories/advisory-ftp-rush/)

Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en


iQIcBAEBCgAGBQJTefx8AAoJEPxn66kbURKKFw8P/R1/D7b8GoZTQtPe2Rj/w6Sx KakOOZ5IOEgbZP9pl6vOQBCCOWfipJFgVCSoF9BYUOJ9k/fM7inQZl7e4BRBIfGR 2bJveIe+VScTnDQ+yt56TKo6jSMvdszwcBrNTTI+cTn1CvlWBJiDAjHj6SWDCWRe 47tT7LMtOCL8bA/EAacfxWxAJFv2Zu45rkSqGXvKxz987Ss1CuuMUHQ6BzyggcCS GvvfojwvNDOK77C+uYAdnqcyaWmepX++T9FmQbvjOulrysN4LamvdfpzlOt1ZxTe Mcw03Y/ERTrEZkNfahk98LwklceImp0ZozJWazmFaBwEUuKGXJNeBniq+RE7PORq e1cZ5zBsD4xiO3OoFwzV/GvP/2/O/I4hPI9WbfhjaZ2A1bGEv3hofy4HWPUKk8w3 aclr7pyY8CqhwY6ZPzV1euhpM2sVzfUTdf2NcNVY6Ra3dbj+QkqgYI6xyRtXSEvS cLElul4ihD9fd0asY6Iczl6bXLUj5tWAHlYR0hz59NJiJBFlWgf+bf44SqmCel+x qh1P66/CbFWjWvit60FmYL+nPYxjXc2ygo7bYu84uwzs06z/zcuVVlJSpSuUl2WG dbr9dTL+aQys7zAbLCsh5DnqRmWiMNM4z/V+CRiZuZLRaPVlclPJTeBAxSeZpOuP MwOf6Izjw169Ih5Dw1dT =pJ3c -----END PGP SIGNATURE-----