Page 1 of 1
CVE-2016-2183
Posted: 2018-10-17 11:23
by jovsel
Hi,
We have FileZilla Server 0.9.56 and found out vulnerable with CVE-2016-2183: Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) on port 21 and 990. We know port 21 is used for file transfer. The port 990 is default.
By the way, the use of our FileZilla server is for the sending of logs from our BLuecoat ProxySG to a server.
Any ideas how we can remediate this?
Thank you,
Jovsel
Re: CVE-2016-2183
Posted: 2018-10-17 13:05
by botg
You need to update to the most recent version of FileZilla Server, old versions are not supported.
Re: CVE-2016-2183
Posted: 2018-10-17 13:30
by jovsel
Hi botg,
Does it mean, upgrading to latest version remediate the vulnerabilities?
Is there any compatibility issue on the latest version?
Thanks.
Re: CVE-2016-2183
Posted: 2018-10-17 14:12
by boco
https://filezilla-project.org/versions.php?type=server
The immediate problem is that you won't receive any support for old versions, so you MUST be on the latest version, even if it wouldn't resolve the issue at hand.
We know port 21 is used for file transfer. The port 990 is default.
And we know this is wrong. Port 21 is used for non-encrypted FTP and Explicit FTP over TLS (recommended). Port 990 is for Implicit FTP over TLS. Data connections (listings, transfers) use even different ports.
Re: CVE-2016-2183
Posted: 2018-10-31 07:35
by jovsel
boco wrote: ↑2018-10-17 14:12
https://filezilla-project.org/versions.php?type=server
The immediate problem is that you won't receive any support for old versions, so you MUST be on the latest version, even if it wouldn't resolve the issue at hand.
We know port 21 is used for file transfer. The port 990 is default.
And we know this is wrong. Port 21 is used for non-encrypted FTP and Explicit FTP over TLS (recommended). Port 990 is for Implicit FTP over TLS. Data connections (listings, transfers) use even different ports.
Thank you boco for the reply and clarification.
Upon checking, latest version of filezilla server is 0.9.60.2, is this compatible on the window server 2008 R2 Enterprise? In this version 0.9.60.2, is there a possible we can disable port 990?
Thanks.
Re: CVE-2016-2183
Posted: 2018-10-31 08:13
by boco
Server 2008 R2 (NT6.1) is supported.
Just clear the Implicit port field on the server's TLS setting page, and FZ Server will stop listening on that port. Implicit FTPS won't be available (no big loss).
Re: CVE-2016-2183
Posted: 2018-10-31 08:41
by jovsel
boco wrote: ↑2018-10-31 08:13
Just clear the Implicit port field on the server's TLS setting page, and FZ Server will stop listening on that port. Implicit FTPS won't be available (no big loss).
Clearing the implicit port is only applicable in version 0.9.60.2?
Re: CVE-2016-2183
Posted: 2018-10-31 21:08
by boco
May work, or not. We don't care about older versions, you won't receive ANY support for them. In your own interest, always be on the latest version.