TLS over FTP security issue
Posted: 2021-01-24 20:41
I have the following settings configured on the server:
FTP over TLS settings
X - Enable FTP over TLS support
X - Disallow plain unencrypted FTP
X - Force PROT P to encrypt file transfers when using FTP over TLS
X - Require TLS session resumption on data connection when using PROT P
I am using a self signed 2048 bit certificate and using 990 for implicit TLS connections (disallowing explicit FTP over TLS)
Any guidance on closing this vulnerability would be appreciated. Below is the security scan report:
Medium (CVSS: 4.8 )
NVT: FTP Unencrypted Cleartext Login (OID: 1.3.6.1.4.1.25623.1.0.108528)
Summary
The remote host is running a FTP service that allows cleartext logins over unencrypted connections.
Vulnerability Detection Result
The remote FTP service accepts logins without a previous sent 'AUTH TLS' command. Response(s):
- Non-anonymous sessions: 331 This server does not allow plain FTP. You have to use FTP over TLS.
- Anonymous sessions: 331 This server does not allow plain FTP. You have to use FTP over TLS.
Impact
An attacker can uncover login names and passwords by sniffing traffic to the FTP service.
Solution
Solution type: Mitigation
Enable FTPS or enforce the connection via the 'AUTH TLS' command. Please see the manual of the FTP service for more information.
Vulnerability Detection Method
Tries to login to a non FTPS enabled FTP service without sending a 'AUTH TLS' command first and checks if the service is accepting the login without enforcing the use of the 'AUTH TLS' command.
Details: FTP Unencrypted Cleartext Login (OID: 1.3.6.1.4.1.25623.1.0.108528)
Version used: $Revision: 13611 $