Page 1 of 1

Beast vulnerability found in Filezila

Posted: 2020-05-06 23:16
by yellowrider03
I'm posting to reach out if anyone has had an occurrence of the Beast vulnerability within the version 0.9.60beta showing up with an internal scan reflecting Negotiated cipher suite: AES256-SHA|TLSv1|Kx=RSA|Au=RSA|Enc=AES-CBC(256)|Mac=SHA1 off TLS port 990.

This is showing a vulnerability and I find no record to remediate this - I believe if AES 256 is turned off Filezilla will no longer work.

Any input will be much appreciated.

Re: Beast vulnerability found in Filezila

Posted: 2020-05-07 10:07
by botg
You can disable TLSv1 by setting the "Minimum TLS version" in FileZilla Server.xml to 1 or 2, to require at least TLSv1.1 or 1.2 respectively.