Cybersecurity threats 2014: Multiple vulnerabilities in Cerberus FTP Server

Posted: November 11, 2014 in Vulnerabilities
Tags: , ,

Cerberus logoMultiple vulnerabilities in Cerberus FTP Server

There are three vulnerabilities (Denial of service and Security Bypass) fixed in the Windows-based FTP Server (CVE-2014-3513, CVE-2014-3567, CVE-2014-3568).

Danger level: Middle
Availability fixes: Yes
Number of vulnerabilities: 3

CVSSv2 Rating:
(AV: N / AC: L / Au: N / C: N / I: N / A: C / E: U / RL: O / RC: C) = Base: 7.8 / Temporal: 5.8
(AV: N / AC: L / Au: N / C: N / I: N / A: P / E: U / RL: O / RC: C) = Base: 5 / Temporal: 0
(AV: N / AC: L / Au: N / C: P / I: P / A: N / E: U / RL: O / RC: C) = Base: 6.4 / Temporal: 4.7
CVE ID: CVE-2014-3513, CVE-2014-3567, CVE-2014-3568

Vector of operation: Remote
Impact: Denial of service, Security Bypass

Affected products: Cerberus FTP Server 7.x
Affected versions: Cerberus FTP Server versions prior to 7.0.5.0

Cerberus FTP Server From Wikipedia

Description:
The vulnerabilities allows a remote user  to bypass certain security restrictions and to cause a denial of service.

1. CVE-2014-3513 vulnerability: This vulnerability allows a remote attackers to cause a memory leak.

The vulnerability is due to an error when processing the DTLS SRTP extension in OpenSSL. A remote user can cause a memory leak and crash of the application.

2. CVE-2014-3567  vulnerability: This vulnerability allows a remote user to cause a denial of service.

The vulnerability is due to the fact that the SSL / TLS / DTLS server incorrectly checks the session ticket. This can be exploited to cause a memory leak and cause a denial of service.

3. CVE-2014-3568 vulnerability: This vulnerability allows malicious people to bypass certain security restrictions.

The vulnerability is due to the fact that in OpenSSL is present the no-ssl3 build option. A remote user can to bypass intended access restrictions via an SSL 3.0 handshake.

Solution: Install the latest version 7.0.5.0 with the manufacturer’s website.

References: http://www.cerberusftp.com/products/releasenotes.html


CerberusManufacturer URL: http://www.cerberusftp.com/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s