SFTP Gateway Support

3.0

CVE-2023-48795

Note: This page applies to SFTP Gateway version 2.x. Visit Here for documentation on version 3.x.

Overview

A security advisory applies to all SFTP and SSH servers, including SFTP Gateway and OpenSSH. Specific HMACs and ciphers are vulnerable, potentially allowing unauthorized access and manipulation of data. Full details of the vulnerability are documented on here.

We recommend that you lock down the HMACs and ciphers for OpenSSH.

Check your version of SFTP Gateway

This vulnerability affects all versions of SFTP Gateway. This article covers version 2.

You can check the version of SFTP Gateway by scrolling to the footer of the web admin portal.

Alternatively, you can SSH into the VM and list the files in /opt/sftpgw/ which show the version number in the file names.

Lock down OpenSSH

Ideally, OpenSSH should be upgraded beyond version 9.5.

Since OpenSSH cannot be upgraded to the latest via OS updates, you can disable the following ciphers and HMACs as a workaround:

  • chacha20-poly1305@openssh.com
  • hmac-sha2-512-etm@openssh.com
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha1-etm@openssh.com
  • hmac-md5-etm@openssh.com

Note: Anyone using SFTP Gateway or stand alone OpenSSH should lock down vulnerable ciphers and HMACS.

To see your list of macs and ciphers, run the following commands:

sshd -T | grep macs
sshd -T | grep ciphers

For ciphers, you want to remove chacha20-poly1305@openssh.com, which is vulnerable. You also want to remove anything ending in -cbc, which is weak.

For macs, you want to remove any combination that starts with hmac and ends with etm. These macs are listed above. Note: the other hmacs are fine, as long as they don't have -etm (e.g. hmac-sha1 is ok).

Create an allowlist of ciphers and macs by adding (or updating) the following lines in the file /etc/ssh/sshd_config:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

MACs umac-128-etm@openssh.com,umac-128@openssh.com,umac-64-etm@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1

Restart sshd to apply your changes:

service sshd restart

Finally, verify your changes:

sshd -T | grep macs
sshd -T | grep ciphers

Contact Support

If you run into any issues, you can reach out to us via email at support@thorntech.com.

PreviousAzure Enable Password authentication