Multiple vulnerabilities in Cerberus FTP Server
There are three vulnerabilities (Denial of service and Security Bypass) fixed in the Windows-based FTP Server (CVE-2014-3513, CVE-2014-3567, CVE-2014-3568).
Danger level: Middle
Availability fixes: Yes
Number of vulnerabilities: 3
CVSSv2 Rating:
(AV: N / AC: L / Au: N / C: N / I: N / A: C / E: U / RL: O / RC: C) = Base: 7.8 / Temporal: 5.8
(AV: N / AC: L / Au: N / C: N / I: N / A: P / E: U / RL: O / RC: C) = Base: 5 / Temporal: 0
(AV: N / AC: L / Au: N / C: P / I: P / A: N / E: U / RL: O / RC: C) = Base: 6.4 / Temporal: 4.7
CVE ID: CVE-2014-3513, CVE-2014-3567, CVE-2014-3568
Vector of operation: Remote
Impact: Denial of service, Security Bypass
Affected products: Cerberus FTP Server 7.x
Affected versions: Cerberus FTP Server versions prior to 7.0.5.0
Description:
The vulnerabilities allows a remote user to bypass certain security restrictions and to cause a denial of service.
1. CVE-2014-3513 vulnerability: This vulnerability allows a remote attackers to cause a memory leak.
The vulnerability is due to an error when processing the DTLS SRTP extension in OpenSSL. A remote user can cause a memory leak and crash of the application.
2. CVE-2014-3567 vulnerability: This vulnerability allows a remote user to cause a denial of service.
The vulnerability is due to the fact that the SSL / TLS / DTLS server incorrectly checks the session ticket. This can be exploited to cause a memory leak and cause a denial of service.
3. CVE-2014-3568 vulnerability: This vulnerability allows malicious people to bypass certain security restrictions.
The vulnerability is due to the fact that in OpenSSL is present the no-ssl3 build option. A remote user can to bypass intended access restrictions via an SSL 3.0 handshake.
Solution: Install the latest version 7.0.5.0 with the manufacturer’s website.
References: http://www.cerberusftp.com/products/releasenotes.html
Manufacturer URL: http://www.cerberusftp.com/
