Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > Serv-U Managed File Transfer & Serv-U FTP Server > Vulnerabilities for Serv-U 10 and later versions

Vulnerabilities for Serv-U 10 and later versions

Table of contents

Updated February 24, 2017

Overview

This article provides a list of vulnerabilities for Serv-U v10 and later versions.

Environment

Serv-U v10 and later

Detail

Vulnerabilities v10 or later (since May 17, 2010):

Our security team recommends that you run at least the minimum version listed below. At least one of the vulnerabilities listed below was present since Serv-U 1.0; do not put your company at risk by running an unpatched software.

  • Fixed in 15.1.1.108: OpenSSL libraries updated to 0.9.8zb. Additionally, SSLv2 and SSLv3 are disabled by default.
  • Fixed in 15.1.0.480: Several potential security issues. See the relevant release notes for details.
  • Fixed in 15.0.1.20: DOS vulnerability which could render Serv-U unresponsive.
  • Fixed in 15.0.0.0: Security issue allowing for possible SSL DOS attacks.
  • Fixed in 14.0.2.0: DOS vulnerability where clients could saturate Serv-U with SSL renegotiation requests that made Serv-U unresponsive.
  • Fixed in 12.1: DOS due to FTPS and HTTPS SSL/TLS session negotiation vulnerability. (Certain connections that failed to complete SSL negotiation could cause other connections to fail.) Also, DOS due to crash caused by certain ways of terminating web administration sessions.
  • Fixed in 11.3: DOS due to memory leak when certain HTTP/S and SFTP usernames attempted.
  • Fixed in 11.2: Escalation of privilege (wrong set of folder permissions) due to incorrect parsing of folder permission rules on remote shares.
  • Fixed in 11.1.0.5: Escalation of privilege (chroot jailbreak) due to incorrect parsing of folder commands. (Secunia SA47021; discovered by kingcope; present since v1.0.)
  • Fixed in 11.0.0.4: Cross-site scripting (XSS) in Web Client.
  • Fixed in 10.3.0.1: Unauthorized use due to improper password check in SFTP interface.
  • Fixed in 10.2.0.0: Escalation of privilege (grant self permission to virtual folder). Also DOS due to crash caused by improper Web Client URL parsing.

 

Last modified
20:58, 26 Mar 2017

Tags

Classifications

Public