Advisory ID: SYSS-2014-002
Product: FTP Rush
Vendor: Wing FTP Software
Affected Version(s): v2.1.8
Tested Version(s): v2.1.8 (Windows 7 32 bit and Windows 8.1 64 bit)
Vulnerability Type: X.509 validation
Risk Level: Medium
Solution Status:
Vendor Notification: 2014-04-04
Solution Date:
Public Disclosure: 2014-05-19
CVE Reference: Not assigned, (but similiar to CVE-2012-6606)
Author of Advisory: Micha Borrmann (SySS GmbH)
Overview:
FTP Rush does not validating X.509 certificates, if FTP with TLS is used
Vulnerability Details:
A user can not recognize an easy to perform
man-in-the-middle attack, because the client is not validate the X.509
certificate from the FTP server. In an untrusted networking
environment (like a Wifi hotspot), the current FTP AUTH TLS connection
with FTP Rush should be classified as not encrypted.
Proof of Concept (PoC): not needed
Solution: use another client for FTP with AUTH TLS
Disclosure Timeline:
April 3, 2014 - Vulnerability discovered
April 4, 2014 - Vulnerability reported to vendor
May 19, 2014 - Vulnerability disclosure, after a period of 45 days for a responsible disclosure
Credits:
Security vulnerability found by Micha Borrmann of the SySS GmbH.
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory
may be updated in order to provide as accurate information as
possible. The latest version of this security advisory is available on
the SySS web site
(https://www.syss.de/aktuelles/advisories/advisory-ftp-rush/)
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en