SSLv3 POODLE vulnerability and SFTPPlus

Wed 22 October 2014 | security server client

Issue

In late September, a team at Google discovered a serious vulnerability in SSL 3.0, known as “POODLE”.

By exploiting this vulnerability, an attacker can gain access to data send over what is supposed to be a secured connection.

Affected protocols

SFTPPlus Server and Client are affected by SSLv3 POODLE vulnerability for FTPS, HTTPS protocols as well as for the HTTPS web based management tool.

SFTP and SCP protocols are not affected.

This is a design flaw within the SSLv3 protocol itself and is not related to SFTPPlus specific implementation or any other vendor’s implementation.

Solution for SFTPPlus Server

As a way to fix this you should disable SSLv3 protocol and only use TLSv1 for FTPS (explicit or implicit) and HTTPS protocols, including the Local Manager web based administration interface.

To disable SSLv3 in SFTPPlus Server this can be done using the ssl_allowed_methods = tlsv1 configuration options for all vulnerable protocols. For more details see ssl_allowed_methods documentation.

The default configuration options support both SSLv3 and TLSv1. SSLv2 was never enabled as the protocol was also proved vulnerable.

In case you still need to use SSLv3 you should disable the CBC based cipher suites. This means enabling only the RC4-SHA cipher as this is the only cipher not using CBC. To do this, set ssl_cipher_list = RC4-SHA . For more details see ssl_cipher_list documentation.

We will soon release a new version of SFTPPlus Server which will disable SSLv3 by default.

Solution for SFTPPlus Client

SFTPPlus Client can also be configured to only use RC4-SHA cipher using the ciphers = 'RC4-SHA' configuration. For more details see ciphers documentation.

We will soon release a new version of SFTPPlus Client which will disable SSLv3 by default.