From: <security@nruns.com.>
To: <full-disclosure@lists.grok.org.uk.>,
Subject: ERRATA - n.runs-SA-2008.001 - Jscape Secure FTP Applet
Date: Wed, 25 Jun 2008 16:33:53 +0200
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAAEqlc0sEqCZMjFiSy1tj+RPCgAAAEAAAAGz7xKePd6ZGqNI2ZuogrrkBAAAAAA==@nruns.com>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AcjW0HvaTiKz8cmGSrCYTp1WTlN7HQ==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
X-PGP-Encoding-Format: MIME
X-PGP-Encoding-Version: 2.0.2
Content-Type: multipart/signed;
boundary="PGP_Universal_72E291E1_867FC29A_CEE6AF9C_FB623B41";
protocol="application/pgp-signature";
micalg="pgp-sha1"
X-Provags-ID: V01U2FsdGVkX18KkZRizVLimBLaqAbjmKO2csaQF7pl7sB1VVb
Om2mNIzOGAKIgVwqBZICO/EkQrHX2BP2Ukp68htifYriTLtXy1
EJCIA+2hgotwgxHbm7GyQ==
X-Virus-Scanned: antivirus-gw at tyumen.ru
--PGP_Universal_72E291E1_867FC29A_CEE6AF9C_FB623B41
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: QUOTED-PRINTABLE
n.runs AG
http://www.nruns.com/
security(at)nruns.com
n.runs-SA-2008.001
25-June-2008
____________________________________________________________________________
____
Vendor: Jscape, http://www.jscape.com/
Affected Products: Jscape Secure FTP Applet
http://www.jscape.com/sftpapplet/index.html
Vulnerability: SSH Host key is not verified allowing=20
man-in-the-middle attacks
Risk: Medium
____________________________________________________________________________
____
Overview
The JSCAPE Secure FTP Applet suffers from a man-in-the-middle vulnerability.
JSCAPE software has been deployed in a wide array of industries including
aerospace, banking, communications, education, insurance, finance,
government and software. With customers in more than 50 countries worldwide
the following is a small sample of companies who use JSCAPE products and
services. Customers include Boeing, SUN, ISS, SAP - See
http://www.jscape.com/clients.html for more details.
The JSCAPE Secure FTP Applet is a secure FTP client that runs within Java
enabled web browsers. The software supports SFTP (FTP over SSH) and FTPS
(FTP over SSL) for encrypted file transfer.
Description
To prevent man-in-the-middle attacks it is important to check the
authenticity of the destination server by verifying the host key of the
server when establishing the SSH connection. With previous versions of the
JSCAPE Secure FTP applet it was not possible to verify the authenticity of
the destination server.
Impact
When using affected versions of the JSCAPE secure FTP applet, users are not
able to identify man-in-the-middle attacks. The supposedly secure connection
is no longer secure. An attacker is able to eavesdrop on the connection in
order to extract username and password or take over the initiated session.
Solution
Upgrade to version 4.9.0 or above
________________________________________________________________________
Vendor communication:
2006/04/12 n.runs sends a Vulnerability Notice informing Jscape
about the nature of the problem and the impact.
2006/04/13 Jscape acknowledges and ask for more details
2006/04/13 n.runs gives more details
2007/07/26 n.runs asks for feedback and if the problem has been
patched
2007/07/26 Jscape replies "We do not have a release date yet for
this task"
2007/07/26 n.runs asks whether they can offer a estimate when the
patch will be available
2007/07/26 Jscape answers again "We do not have a release date yet
for this task"
2008/02/19 n.runs requests a statement to be used in the advisory as
there seems to be no intention to patch and argues "you
deem this problem as low yet it renders the *secure
connection* insecure."
2008/02/20 Jscape promises to "continue to look into this issue and
notify you when a patch is available".
2008/02/25 n.runs notifies Jscape that an advisory will be released
by the end of the week if they do not patch the flaw
n.runs reported roughly 2 years ago.
"Given the long time this has already been reported
(12/2006), and the criticality of this issue, I would
expect a patch to be ready by the end of the week. If the
patch is not available until the end of this week
(29.02.2008) I'll proceed with the advisory"
2008/02/29 Jscape notifies n.runs that the flaw has been patched
2008/06/01 n.runs verifies the patch and confirms that
man-in-the-middle is no longer possible if the user does
not accept the new key. n.runs however recommends that
Jscape warns the users of the security implications of a
new SSH Host key rather then simply displaying "New Host
key".
________________________________________________________________________
Credits
Vulnerability discovered by Frank Dick and Thierry Zoller of n.runs AG.
About n.runs
n.runs AG is a vendor-independent consulting company specializing in the
areas of: IT Infrastructure, IT Security and IT Business Consulting. In
2007, n.runs expanded its core business area, which until then had been
project based consulting, to include the development of high-end security
solutions. Application Protection System - Anti Virus (aps-AV) is the first
high-end security solution that n.runs is bringing to the market.
Advisories can be found at : http://www.nruns.com/security_advisory.phpCopyright Notice
Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
[email protected] for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded.
In no event shall n.runs be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if n.runs has been advised of the possibility of such
damages.
Copyright n.runs AG. All rights reserved. Terms of use apply.
________________________________________________________________________
Subscribe to the n.runs newsletter by signing up to:
http://www.nruns.com/newsletter_en.php
--PGP_Universal_72E291E1_867FC29A_CEE6AF9C_FB623B41
Content-Type: application/pgp-signature;
x-mac-type=70674453;
name=PGP.sig
Content-Disposition: attachment; filename=PGP.sig
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.1 (Build 2523)
iQIVAwUBSGJX115rjmT2uFcEAQLE6A/+K6OMlU1x7HMUQ7g+gyNvULsKhzQQnbYu
NfvuCYETuOgXa8lIWAB0kASgTB0yYaOi6FAwkSlRjTl5CZpII+MTh2sYXV8HZdVX
Tgi8v/SxbQYn67doM+IPbaZGbP8F1uKdqhn49w/+dzocPEow/yotWBb3B/j9ydD8
v3oTGsofSxCfbG5z1shCdhglpwtvNFJO7OE34UTJ+4m8BA5V86P7jm6bpabmFpbB
JqndN2fXOx4VrpKXPhxT9aRe6Hq5UOZF4EnxdZUCYKY2r8uI2Gm+UXuXcPx+ed43
tymk99oeeMrX0rNnCuGkqXDnEju6uJmQ9VqdFn2jafHaUvolvK4dl43SyvrRcoNd
CYYRgt+RSkaE076+MT0DnIx8LzzqBvMri63kqVcfvYmr6/zD0otPU20O8pVa6+jV
OV9Ic2XGhKCD3lAV68jrml1NftT9fPs648Yu1cqyKyIqUv4C1C0/BRfe6PHtOSxY
ThgfcW3depTXnonj6z1JolA1BmKr5Euz2eID6jJfimF16Yd+F9PIiPAOZmbqYpi+
ZMu357wEeITUWK9DjMc0B8CS8N7flj/2plgs78hydM7zCo/Mbe3L5DhIsWoiWVUg
PG49dj+8KbYw/GDQF9EQMxDeN+sLHzqxYe15ei/ezTuvK9hpiX5+f38IovmEagkt
4MYHqE0IIRs=
=Fuin
-----END PGP SIGNATURE-----
--PGP_Universal_72E291E1_867FC29A_CEE6AF9C_FB623B41--
