Filter by Category

New FTP Server Security Flaw Recently Discovered

We know that FTP has security issues that are based upon its aging design. But a new flaw, discovered by Maksymilian Arciemowicz, is creating new concerns. This new flaw is calling into question the underlying code-base implemented by literally thousands of FTP server applications.

The flaw resides in several C code libraries that call the glob() function. "Globbing" is a pervasive function that permits the use of wildcard patterns to identify file names. It's one of the most commonly used processes in transferring large numbers of files with FTP: Instead of individually selecting files, a user may select a folder or a group of files based upon a common string. The common use of *.doc or *.* are examples.

The flaw discovered by Arciemowicz relates to a feature added to C libraries in 2001. That feature, called GLOB_LIMIT, was designed to limit the amount of memory used during transfer. Because GLOB_LIMIT is not effective, it potentially allows a system's main memory to be flooded when processing certain patterns and this may, depending on the hardware used, cause the system to become very slow, cease to respond or even crash as a result.

Of course, crashing an FTP server can then permit other security violations to take place - not only on the server side. For instance, a hung FTP server that is in the midst of a conversation with a client can leave the client's data in the open. This represents a serious potential security hole for the client software itself.

In most servers, the function is implemented via libc, but some vendors have integrated the globbing feature directly into their products, with an option in the configuration settings for it to be disabled. Arciemowicz said that OpenBSD 4.7, NetBSD 5.0.2, FreeBSD 7.3 / 8.1, Oracle Sun Solaris 10 and GNU Libc (glibc) are affected. FTP and SFTP servers all tend to support globbing, so it's important to either disable globbing in the configuration of the server side, and/or to contact the software vendor about the use of this underlying function to discuss how to the function.

GoAnywhere does not have this issue as it does not use C or the GLOB_LIMIT. GoAnywhere Services [renamed GoAnywhere MFT in 2015] is a secure file server that allows trading partners (both internal and external) to securely connect to your system and exchange files within a fully managed and audited solution. Popular file transfer and encryption standards are supported without the need for proprietary client software.

 

 

Add a Comment

Allowed tags: <b><i><br>

Latest Posts


Recent 2018 Data Breaches in Healthcare (and How to Avoid Them)

November 14, 2018

Phishing attacks, malware, and employee errors. These are three of the most recent causes for healthcare data breaches in 2018, with more certainly to come. The year isn’t over yet. For anyone…


Which is Better: SFTP vs. MFT?

November 6, 2018

SFTP, or MFT: that is the question. Even though we’re not all famous poets like William Shakespeare, many IT professionals will ask this question at some point or another. Should they use an…


What You Need to Know about the California Consumer Privacy Act (CCPA)

October 30, 2018

Businesses be aware: if you’re located in California or work with customers from California, a new privacy act similar to the GDPR is coming for you. This gives you just 14 months to analyze…


The Best Cybersecurity Strategies for Banks and Financial Organizations

October 18, 2018

Banks and financial institutions, take note: though the year is almost over, no one is safe from a data breach. Industries across the board have seen 4.5 million records stolen so far in 2018—a…


What is Managed File Transfer (MFT)?

October 10, 2018

As companies recognize a need for a solution that meets their file transfer, automation, and encryption needs, the question often arises: what is managed file transfer and how is it different from my…