SFTP Gateway Support

3.0

CVE-2023-48795

Overview

A security advisory applies to all SFTP and SSH servers, including SFTP Gateway and OpenSSH. Specific HMACs and ciphers are vulnerable, potentially allowing unauthorized access and manipulation of data. Full details of the vulnerability are documented on here.

We recommend that you take the following actions below:

  • Update the SFTP Gateway application
  • Lock down the HMACs and ciphers for OpenSSH

This article may be updated as new information becomes available. Last updated: December 18, 2023 at 12:11pm EST.

Update the SFTP Gateway application

The SFTP Gateway application serves SFTP traffic on the default port TCP 22. This section covers patching the SFTP Gateway application.

See the second half of the article for locking down OpenSSH.

Check your version of SFTP Gateway

This vulnerability affects all versions of SFTP Gateway prior to v3.4.6. New deployments of v3.4.6 (coming soon) as well as instances upgraded to v3.4.6 are not affected.

You can check the version of SFTP Gateway by scrolling to the footer of the web admin portal.

Alternatively, you can SSH into the VM and list the files in /opt/sftpgw/ which show the version number in the file names.

Perform an in-place upgrade to version 3.4.6

The easiest way to upgrade would be to use our in-place upgrade script.

Note: you must already be on SFTP Gateway version 3 in order to perform an in-place upgrade.

Note: SFTP clients (e.g. FileZilla and WinSCP) should also be updated to make sure you are negotiating the latest MACs, ciphers, and key exchange algorithms.

Migrate to version 3.4.6

The safest way to upgrade is to perform a migration.

This involves exporting a backup of your existing server, and importing the backup into a new instance of v3.4.6. Finally, perform an IP or DNS cutover to the new server.

Note: We will update this article when version v3.4.6 is available on cloud marketplaces. Until then, please perform the in-place upgrade.

Lock down OpenSSH

Ideally, OpenSSH should be upgraded beyond version 9.5.

Since OpenSSH cannot be upgraded to the latest via OS updates, you can disable the following ciphers and HMACs as a workaround:

  • chacha20-poly1305@openssh.com
  • hmac-sha2-512-etm@openssh.com
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha1-etm@openssh.com
  • hmac-md5-etm@openssh.com

Note: Anyone using SFTP Gateway or stand alone OpenSSH should lock down vulnerable ciphers and HMACS.

To see your list of macs and ciphers, run the following commands:

sshd -T | grep macs
sshd -T | grep ciphers

For ciphers, you want to remove chacha20-poly1305@openssh.com, which is vulnerable. You also want to remove anything ending in -cbc, which is weak.

For macs, you want to remove any combination that starts with hmac and ends with etm. These macs are listed above. Note: the other hmacs are fine, as long as they don't have -etm (e.g. hmac-sha1 is ok).

Create an allowlist of ciphers and macs by adding (or updating) the following lines in the file /etc/ssh/sshd_config:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

MACs umac-128-etm@openssh.com,umac-128@openssh.com,umac-64-etm@openssh.com,umac-64@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-sha1

Restart sshd to apply your changes:

service sshd restart

Finally, verify your changes:

sshd -T | grep macs
sshd -T | grep ciphers

Contact Support

If you run into any issues, you can reach out to us via email at support@thorntech.com.

PreviousNext