Hi,
We're using FileZilla Pro Server for one of our clients but our vulnerability testing shows a critical vulnerability with the software. We're on the latest version, but this vulnerability dates back to 2018. Has anyone seen this? Does anyone know if there is an available fix?
I used the search feature but I couldn't find this topic being discussed anywhere. Thanks!
Vulnerability - Libssh CVE-2018-10933 Authentication Bypass Vulnerability
Moderator: Project members
-
- 500 Command not understood
- Posts: 3
- Joined: 2024-05-02 20:55
Re: Vulnerability - Libssh CVE-2018-10933 Authentication Bypass Vulnerability
Looks like a false-positive, FileZilla Server is not related in any way to libssh.
-
- 500 Command not understood
- Posts: 3
- Joined: 2024-05-02 20:55
Re: Vulnerability - Libssh CVE-2018-10933 Authentication Bypass Vulnerability
Thank you, Botg, for the swift response.
-
- 500 Command not understood
- Posts: 3
- Joined: 2024-05-02 20:55
Re: Vulnerability - Libssh CVE-2018-10933 Authentication Bypass Vulnerability
One more while I have your ear. How about this one?
Synopsis SSH server is vulnerable to denial of service vulnerability.
Description [CVE-2002-20001] The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can requir... Show more
Solution Disabling the Diffie-Hellman key exchange algorithms in the application server configurations mitigates the vulnerability. Using application server-specific rate limitation techniques or rate-limiting suspicious clients by their addresses (e.g., Fail2Ban) can effectively reduce the risk of a successful attack.
Findings Vulnerable diffie-hellman KEXs supported by the server:
diffie-hellman-group-exchange-sha256,
diffie-hellman-group14-sha1
What are your thoughts on this one? Thanks!
Synopsis SSH server is vulnerable to denial of service vulnerability.
Description [CVE-2002-20001] The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can requir... Show more
Solution Disabling the Diffie-Hellman key exchange algorithms in the application server configurations mitigates the vulnerability. Using application server-specific rate limitation techniques or rate-limiting suspicious clients by their addresses (e.g., Fail2Ban) can effectively reduce the risk of a successful attack.
Findings Vulnerable diffie-hellman KEXs supported by the server:
diffie-hellman-group-exchange-sha256,
diffie-hellman-group14-sha1
What are your thoughts on this one? Thanks!