SFTP

SFTP (Secure FTP) is a file transfer application that uses SSH for encryption.

The problem

The logging function of several vendors' SFTP servers contains a format string vulnerability.

Vulnerable products include:

• Reflection for Secure IT UNIX Server version 6.0
• Reflection for Secure IT Windows Server version 6.0
• F-Secure SSH Server for Windows version 5.x
• F-Secure SSH Server for UNIX version 3.x through 5.x

A remote authenticated attacker may be able to execute arbitrary code with the privilege of the user or cause a denial of service to the SSH server.

Upgrade or patch

AttachmateWRQ Reflection for Secure IT and F-Secure SSH Server users should install an upgrade, as specified in WRQ Tech Note 1882.

According to the WRQ Tech note, the following workaround may prevent exploitation of the vulnerability:

On UNIX Servers

   1. Edit the SSH server's sshd2_config file:

         1. Change the line

            subsystem-sftp internal://sftp-server

            to

            subsystem-sftp sftp-server

            Note: This change disallows the use of chroot.

         2. Comment out the SftpSyslogFacility keyword line. Note: The line should begin with two "pound" signs, as in this example:

            ## SftpSyslogFacility LOCAL7

   2. Restart the SSH server to read the changes in the configuration file.

On Windows Servers
The only workaround is to disable the sftp subsystem as follows:

   1. Edit the SSH server's sshd2_config file and comment out the subsystem-sftp line. Note: The line should begin with two "pound" signs, as in this example:

            ## subsystem-sftp "fsshsftpd.exe"

   2. Restart the SSH server to read the change in the configuration file.