CVE-2016-2183

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
jovsel
504 Command not implemented
Posts: 7
Joined: 2017-01-17 08:39
First name: jovie
Last name: sel

CVE-2016-2183

#1 Post by jovsel » 2018-10-17 11:23

Hi,

We have FileZilla Server 0.9.56 and found out vulnerable with CVE-2016-2183: Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) on port 21 and 990. We know port 21 is used for file transfer. The port 990 is default.

By the way, the use of our FileZilla server is for the sending of logs from our BLuecoat ProxySG to a server.

Any ideas how we can remediate this?

Thank you,
Jovsel

User avatar
botg
Site Admin
Posts: 31574
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: CVE-2016-2183

#2 Post by botg » 2018-10-17 13:05

You need to update to the most recent version of FileZilla Server, old versions are not supported.

jovsel
504 Command not implemented
Posts: 7
Joined: 2017-01-17 08:39
First name: jovie
Last name: sel

Re: CVE-2016-2183

#3 Post by jovsel » 2018-10-17 13:30

Hi botg,

Does it mean, upgrading to latest version remediate the vulnerabilities?
Is there any compatibility issue on the latest version?

Thanks.

User avatar
boco
Contributor
Posts: 24152
Joined: 2006-05-01 03:28
Location: Germany

Re: CVE-2016-2183

#4 Post by boco » 2018-10-17 14:12

https://filezilla-project.org/versions.php?type=server

The immediate problem is that you won't receive any support for old versions, so you MUST be on the latest version, even if it wouldn't resolve the issue at hand.

We know port 21 is used for file transfer. The port 990 is default.
And we know this is wrong. Port 21 is used for non-encrypted FTP and Explicit FTP over TLS (recommended). Port 990 is for Implicit FTP over TLS. Data connections (listings, transfers) use even different ports.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

jovsel
504 Command not implemented
Posts: 7
Joined: 2017-01-17 08:39
First name: jovie
Last name: sel

Re: CVE-2016-2183

#5 Post by jovsel » 2018-10-31 07:35

boco wrote:
2018-10-17 14:12
https://filezilla-project.org/versions.php?type=server

The immediate problem is that you won't receive any support for old versions, so you MUST be on the latest version, even if it wouldn't resolve the issue at hand.

We know port 21 is used for file transfer. The port 990 is default.
And we know this is wrong. Port 21 is used for non-encrypted FTP and Explicit FTP over TLS (recommended). Port 990 is for Implicit FTP over TLS. Data connections (listings, transfers) use even different ports.

Thank you boco for the reply and clarification.
Upon checking, latest version of filezilla server is 0.9.60.2, is this compatible on the window server 2008 R2 Enterprise? In this version 0.9.60.2, is there a possible we can disable port 990?

Thanks.

User avatar
boco
Contributor
Posts: 24152
Joined: 2006-05-01 03:28
Location: Germany

Re: CVE-2016-2183

#6 Post by boco » 2018-10-31 08:13

Server 2008 R2 (NT6.1) is supported.

Just clear the Implicit port field on the server's TLS setting page, and FZ Server will stop listening on that port. Implicit FTPS won't be available (no big loss).
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

jovsel
504 Command not implemented
Posts: 7
Joined: 2017-01-17 08:39
First name: jovie
Last name: sel

Re: CVE-2016-2183

#7 Post by jovsel » 2018-10-31 08:41

boco wrote:
2018-10-31 08:13


Just clear the Implicit port field on the server's TLS setting page, and FZ Server will stop listening on that port. Implicit FTPS won't be available (no big loss).
Clearing the implicit port is only applicable in version 0.9.60.2?

User avatar
boco
Contributor
Posts: 24152
Joined: 2006-05-01 03:28
Location: Germany

Re: CVE-2016-2183

#8 Post by boco » 2018-10-31 21:08

May work, or not. We don't care about older versions, you won't receive ANY support for them. In your own interest, always be on the latest version.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

Post Reply