CVE-2016-2183

Message

jovsel · #1 Post by **jovsel** » 2018-10-17 11:23

Hi,

We have FileZilla Server 0.9.56 and found out vulnerable with CVE-2016-2183: Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) on port 21 and 990. We know port 21 is used for file transfer. The port 990 is default.

By the way, the use of our FileZilla server is for the sending of logs from our BLuecoat ProxySG to a server.

Any ideas how we can remediate this?

Thank you,
Jovsel

#2 Post by **botg** » 2018-10-17 13:05

You need to update to the most recent version of FileZilla Server, old versions are not supported.

jovsel · #3 Post by **jovsel** » 2018-10-17 13:30

Hi botg,

Does it mean, upgrading to latest version remediate the vulnerabilities?
Is there any compatibility issue on the latest version?

Thanks.

#4 Post by **boco** » 2018-10-17 14:12

https://filezilla-project.org/versions.php?type=server

The immediate problem is that you won't receive any support for old versions, so you MUST be on the latest version, even if it wouldn't resolve the issue at hand.

We know port 21 is used for file transfer. The port 990 is default.

And we know this is wrong. Port 21 is used for non-encrypted FTP and Explicit FTP over TLS (recommended). Port 990 is for Implicit FTP over TLS. Data connections (listings, transfers) use even different ports.

jovsel · #5 Post by **jovsel** » 2018-10-31 07:35

boco wrote: ↑
2018-10-17 14:12
https://filezilla-project.org/versions.php?type=server

The immediate problem is that you won't receive any support for old versions, so you MUST be on the latest version, even if it wouldn't resolve the issue at hand.

We know port 21 is used for file transfer. The port 990 is default.
And we know this is wrong. Port 21 is used for non-encrypted FTP and Explicit FTP over TLS (recommended). Port 990 is for Implicit FTP over TLS. Data connections (listings, transfers) use even different ports.

Thank you boco for the reply and clarification.
Upon checking, latest version of filezilla server is 0.9.60.2, is this compatible on the window server 2008 R2 Enterprise? In this version 0.9.60.2, is there a possible we can disable port 990?

Thanks.

#6 Post by **boco** » 2018-10-31 08:13

Server 2008 R2 (NT6.1) is supported.

Just clear the Implicit port field on the server's TLS setting page, and FZ Server will stop listening on that port. Implicit FTPS won't be available (no big loss).

jovsel · #7 Post by **jovsel** » 2018-10-31 08:41

boco wrote: ↑
2018-10-31 08:13

Just clear the Implicit port field on the server's TLS setting page, and FZ Server will stop listening on that port. Implicit FTPS won't be available (no big loss).

Clearing the implicit port is only applicable in version 0.9.60.2?

#8 Post by **boco** » 2018-10-31 21:08

May work, or not. We don't care about older versions, you won't receive ANY support for them. In your own interest, always be on the latest version.

FileZilla Forums

CVE-2016-2183

CVE-2016-2183

Re: CVE-2016-2183

Re: CVE-2016-2183

Re: CVE-2016-2183

Re: CVE-2016-2183

Re: CVE-2016-2183

Re: CVE-2016-2183

Re: CVE-2016-2183