{"cve": [{"lastseen": "2018-10-10T11:05:20", "bulletinFamily": "NVD", "description": "WinSCP before 5.5.3, when FTP with TLS is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", "modified": "2018-10-09T15:43:35", "published": "2014-04-22T09:06:29", "id": "CVE-2014-2735", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2735", "title": "CVE-2014-2735", "type": "cve", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:51", "bulletinFamily": "software", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA512\r\n\r\n\r\nAdvisory ID: SYSS-2014-003\r\nProduct: WinSCP\r\nAffected Version(s): 5.5.2.4130\r\nTested Version(s): 5.5.2.4130 (Windows 7 32 bit and Windows 8.1 64 bit)\r\nVulnerability Type: Missing X.509 validation\r\nRisk Level: Medium\r\nSolution Status: Fixed\r\nVendor Notification: 2014-04-07\r\nSolution Date: 2014-04-09\r\nPublic Disclosure: 2014-04-16\r\nCVE Reference: CVE-2014-2735\r\nAuthor of Advisory: Micha Borrmann (SySS GmbH)\r\n\r\n-\r\n--------------------------------------------------------------------------------\r\n\r\nOverview: WinSCP is not checking the "Common Name" of a X.509\r\ncertificate, when FTP with TLS is used.\r\n\r\n-\r\n--------------------------------------------------------------------------------\r\n\r\nVulnerability Details:\r\nA user can not recognize an easy to perform man-in-the-middle attack,\r\nbecause the client does not validate the "Common Name" of the servers\r\nX.509 certificate. In networking environment that is not trustworthy,\r\nlike a wifi network, using FTP AUTH TLS with WinSCP the servers identity\r\ncan not be trusted.\r\n\r\n-\r\n--------------------------------------------------------------------------------\r\n\r\nSolution: Upgrade to WinSCP 5.5.3\r\n\r\n-\r\n--------------------------------------------------------------------------------\r\n\r\nDisclosure Timeline:\r\n\r\nApril 07, 2014 - Vulnerability discovered\r\nApril 07, 2014 - Vulnerability reported to vendor\r\nApril 09, 2014 - Bug was confirmed and fixed by the vendor [1]\r\nApril 10, 2014 - Bug fix could be confirmed with WinSCP 5.5.3 (Build 4193)\r\nApril 14, 2014 - WinSCP 5.5.3 (Build 4214) was released [2]\r\n\r\n-\r\n--------------------------------------------------------------------------------\r\n\r\nReferences:\r\n[1] http://winscp.net/tracker/show_bug.cgi?id=1152\r\n[2] http://winscp.net/eng/download.php\r\n\r\n-\r\n--------------------------------------------------------------------------------\r\n\r\nCredits:\r\n\r\nSecurity vulnerability found by Micha Borrmann of the SySS GmbH.\r\n\r\nE-Mail: micha.borrmann (at) syss.de\r\nPublic Key:\r\nhttps://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Micha_Borrmann.asc\r\nKey fingerprint = 6897 7B33 B359 B8BA 0884 969F FC67 EBA9 1B51 128A\r\n\r\n-\r\n--------------------------------------------------------------------------------\r\n\r\nDisclaimer:\r\n\r\nThe information provided in this security advisory is provided "as is"\r\nand without warranty of any kind. Details of this security advisory may\r\nbe updated in order to provide as accurate information as possible. The\r\nlatest version of this security advisory is available on the SySS web\r\nsite.\r\n\r\n-\r\n--------------------------------------------------------------------------------\r\n\r\nCopyright:\r\n\r\nCreative Commons - Attribution (by) - Version 3.0\r\nURL: http://creativecommons.org/licenses/by/3.0/deed.en\r\n\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niQIcBAEBCgAGBQJTTireAAoJEPxn66kbURKKXe0QAIVS4dK27VeNSE68I2BmgVjR\r\nBZkHe7S1X1uec9o7CyT0LUGV+7F/esfDmbfn3vXm/WV6qbUhMLPSIrEKr4HF3bXf\r\ns4b/r117Wy9kj02CtLTAw82egLWYakNPq168v0+zi0tTYY1xqgErPVlid8zPmR9n\r\naNDQ4MH1HX3PSyXb3q4fkZGUhKgZuCxjwDE1jCm1TroUVy3+NhaE7kZKls6DV8UM\r\nKgbMkee0lyGRWKzGG/+by7qdqT9iHK1tBcI18XEQxlHQjRFG/SDyL1eCyg+VORB6\r\n8fVgh8bN1UyIEouZBnrqx6hhNQua7iMmeV5aTEMstMgbw3XvEMmEuAN2ZJOeod2U\r\nzZ/+huTLULAqfgefwOOVJBw04hbTyfWDhdvFwpVsoEvt6MMtB+hJuA6GXUjGMZ6W\r\nTIYiLKDSMOhFVn/zpPySgGLlu6VOyU5D5RWsZXacHJBeMb8nFl6vi5QECjI2pN+s\r\nrFGgjMKemz7CEQk4BM2giQD3O7cq68iTwCVcys9EbMllXpY1P+haZGdhnSY4ZoJt\r\ns5xWrgkT4YIaMeJPMUV0O9yuSyJYVSCwZYgA/CNv8e40ddkXwymLv07Qvkx59upw\r\nZ6WW/+TVPB+wcO1gq+P+sDqXMbkMMF+DjSrvHpuS/gNd5masoJhJRNEnCvpJCDtY\r\nEopi3SjkNeyBsm1wRii2\r\n=se8l\r\n-----END PGP SIGNATURE-----\r\n\r\n", "modified": "2014-05-04T00:00:00", "published": "2014-05-04T00:00:00", "id": "SECURITYVULNS:DOC:30580", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30580", "title": "CVE-2014-2735 - WinSCP: missing X.509 validation", "type": "securityvulns", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "kaspersky": [{"lastseen": "2019-02-15T12:34:36", "bulletinFamily": "info", "description": "### *Detect date*:\n04/22/2014\n\n### *Severity*:\nHigh\n\n### *Description*:\nA lack of hostname verifications was found in the WinSCP. By exploiting this vulnerability malicious users can spoof the SSL server. This vulnerability can be exploited remotely via a man-in-the-middle attack.\n\n### *Affected products*:\nWinSCP versions 5.5.2 and earlier\n\n### *Solution*:\nUpdate to latest version\n\n### *Impacts*:\nSB \n\n### *Related products*:\n[WinSCP](<https://threats.kaspersky.com/en/product/WinSCP/>)\n\n### *CVE-IDS*:\n[CVE-2014-2735](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2735>)", "modified": "2019-02-13T00:00:00", "published": "2014-04-22T00:00:00", "id": "KLA10396", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10396", "title": "\r KLA10396SB vulnerability in WinSCP ", "type": "kaspersky", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2019-01-16T20:18:17", "bulletinFamily": "scanner", "description": "The WinSCP program installed on the remote host is version 4.x later\nthan 4.3.7, 5.x later than 5.0.6 and prior to 5.5.3. It is, therefore,\naffected by the following vulnerabilities :\n\n - An out-of-bounds read error, known as the 'Heartbleed\n Bug', exists related to handling TLS heartbeat\n extensions that allow an attacker to obtain sensitive\n information such as primary key material, secondary key\n material, and other protected content. (CVE-2014-0160)\n\n - An error exists related to X.509 certificates, FTP\n with TLS, and host validation that allows an attacker to\n spoof a server and obtain sensitive information.\n (CVE-2014-2735)", "modified": "2018-11-15T00:00:00", "published": "2014-04-18T00:00:00", "id": "WINSCP_5_5_3.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=73613", "title": "WinSCP Heartbeat Information Disclosure (Heartbleed)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(73613);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n\n script_cve_id(\"CVE-2014-0160\", \"CVE-2014-2735\");\n script_bugtraq_id(66690, 66936);\n script_xref(name:\"CERT\", value:\"720951\");\n script_xref(name:\"EDB-ID\", value:\"32745\");\n script_xref(name:\"EDB-ID\", value:\"32764\");\n script_xref(name:\"EDB-ID\", value:\"32791\");\n script_xref(name:\"EDB-ID\", value:\"32998\");\n\n script_name(english:\"WinSCP Heartbeat Information Disclosure (Heartbleed)\");\n script_summary(english:\"Checks version of WinSCP.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The WinSCP program installed on the remote host is version 4.x later\nthan 4.3.7, 5.x later than 5.0.6 and prior to 5.5.3. It is, therefore,\naffected by the following vulnerabilities :\n\n - An out-of-bounds read error, known as the 'Heartbleed\n Bug', exists related to handling TLS heartbeat\n extensions that allow an attacker to obtain sensitive\n information such as primary key material, secondary key\n material, and other protected content. (CVE-2014-0160)\n\n - An error exists related to X.509 certificates, FTP\n with TLS, and host validation that allows an attacker to\n spoof a server and obtain sensitive information.\n (CVE-2014-2735)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2014/Apr/90\");\n script_set_attribute(attribute:\"see_also\", value:\"https://winscp.net/tracker/show_bug.cgi?id=1151\");\n script_set_attribute(attribute:\"see_also\", value:\"https://winscp.net/tracker/show_bug.cgi?id=1152\");\n script_set_attribute(attribute:\"see_also\", value:\"https://winscp.net/eng/docs/history#5.5.3\");\n script_set_attribute(attribute:\"see_also\", value:\"http://heartbleed.com/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://eprint.iacr.org/2014/140\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.openssl.org/news/vulnerabilities.html#2014-0160\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20140407.txt\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to WinSCP version 5.5.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n \n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:winscp:winscp\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"winscp_installed.nbin\");\n script_require_keys(\"installed_sw/WinSCP\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp = 'WinSCP';\nfixed_version = '5.5.3';\n\ninstall = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);\n\nversion = install['version'];\npath = install['path'];\n\nif (\n # 4.x later than 4.3.7\n (version =~ \"^4\\.\" && ver_compare(ver:version, fix:\"4.3.7\", strict:FALSE) > 0) ||\n # 5.0.6 > 5.x < 5.5.0\n (version =~ \"^5\\.[0-4]\\.\" && ver_compare(ver:version, fix:\"5.0.6\", strict:FALSE) > 0) ||\n # 5.5.x < 5.5.3\n (version =~ \"^5\\.5\\.\" && ver_compare(ver:version, fix:\"5.5.3.4193\", strict:FALSE) < 0)\n)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed versions : ' + fixed_version + \n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}]}
