Jscape Secure FTP Applet

2008.11.20
Risk: High
Local: No
Remote: Yes
CWE: CWE-287


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2008.001 23-June-2008 ________________________________________________________________________ ____ ____ Vendor: Jscape, http://www.jscape.com/ Affected Products: Jscape Secure FTP Applet http://www.jscape.com/sftpapplet/index.html Vulnerability: SSH Host key is not verified allowing for Man in the Middle attacks Risk: High ________________________________________________________________________ ____ ____ Overview ^^^^^^^^ JSCAPE software has been deployed in a wide array of industries including aerospace, banking, communications, education, insurance, finance, government and software. With customers in more than 50 countries worldwide the following is a small sample of companies who use JSCAPE products and services. Customers include Boeing, SUN, ISS, SAP - See http://www.jscape.com/clients.html for more details. Secure FTP Applet is a secure FTP client component that runs within your web browser. Secure FTP Applet [..] while encrypting all data exchanged between the client and server using either the SFTP (FTP over SSH) or FTPS (FTP over SSL) protocols [..] ensuring that all data exchanged is completely secure. Description ^^^^^^^^^^^ During the connection the Applet does not verify or display the host key. As such n.runs was able to perform a man in the middle attack during a penetration test at a client. Read more about SSH Host verification: http://www.securityfocus.com/infocus/1806 Impact ^^^^^^ The supposedly secure connection is no longer secure. n.runs was able to extract login, password and data with a simple SSH Man in the Middle attack. Solution: ^^^^^^^^^ Upgrade to version 4.9.0 or above ________________________________________________________________________ ____ ____ Vendor communication: 2006/04/12 n.runs sends a Vulnerability notice informing Jscape about the nature of the problem and the impact. 2006/04/13 Jscape acknowledges and ask for more details 2006/04/13 n.runs sends more details 2007/07/26 n.runs asks for feedback and if the problem has been patched 2007/07/26 Jscape replies "We do not have a release date yet for this task" 2007/07/26 n.runs asks whether they can offer a estimate when the patch will be available 2007/07/26 Jscape answers again "We do not have a release date yet for this task" 2008/02/19 n.runs requests a statement to be used in the advisory as there seems to be no intention to patch and argues "you deem this problem as low yet it renders the *secure connection* insecure." 2008/02/20 Jscape promises to "continue to look into this issue and notify you when a patch is available. 2008/02/25 n.runs notifies Jscape that an advisory will be released by the end of the week if they do not patch the flaw n.runs reported roughly 2 years ago. "Given the long time this has already been reported (12/2006), and the criticality of this issue, I would expect a patch to be ready by the end of the week. If the patch is not available until the end of this week (29.02.2008) I'll proceed with the advisory" 2008/02/29 Jscape notifies n.runs that the flaw has been patched 2008/06/01 n.runs verifies the patch and confirms that Man in the Middle is not longer possible if the user does not accept the new key. n.runs however recommends that Jscape warns the users of the security implications of a new SSH Host key rather then simply displaying "New Host key". ________________________________________________________________________ ____ ____ Credit ^^^^^^ Vulnerability discovered by Frank Dick and Thierry Zoller of n.runs AG. About n.runs ^^^^^^^^^^^^ n.runs AG is a vendor-independent consulting company specialising in the areas of: IT Infrastructure, IT Security and IT Business Consulting. In 2007, n.runs expanded its core business area, which until then had been project based consulting, to include the development of high-end security solutions. Application Protection System - Anti Virus (aps-AV) is the first high-end security solution that n.runs is bringing to the market. Advisories can be found at : http://www.nruns.com/security_advisory.php Copyright Notice ^^^^^^^^^^^^^^^^ Unnaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact security (at) nruns (dot) com [email concealed] for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages. Copyright n.runs AG. All rights reserved. Terms of use apply. ________________________________________________________________________ ____ ____ Subscribe to the n.runs newsletter to be informed of the latest threats and tools by signing up to : http://www.nruns.com/newsletter_en.php

References:

http://xforce.iss.net/xforce/xfdb/43300
http://www.securitytracker.com/id?1020346
http://www.securityfocus.com/bid/29882
http://www.securityfocus.com/archive/1/archive/1/493569/100/0/threaded
http://www.jscape.com/sftpapplet/docs/HTML/index.html?introhistory.html
http://secunia.com/advisories/30822


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top