Security Advisory Description
Cerberus FTP Server releases prior to 11.0.1 were vulnerable to brute force attacks for the 2FA code for a web client user or server administrator when using the Cerberus HOTP 2FA implementation.
This vulnerability results from us having no locking mechanism present to prevent an unlimited number of attempts at the 2FA code. Auto-blocking IP addresses and rate-limiting attempts were originally thought to be sufficient to mitigate this issue, but an attacker with sufficient resources and time could still use many different connections to work around the rate limiting and IP blocking. Given the limited number space of possible 2FA codes, anything short of an account 2FA lockout really is insufficient to prevent this issue.
Note: To take advantage of this vulnerability requires the attacker to already know the user’s password.
Our DUO 2FA implementation is immune to this problem. We have confirmed through testing and DUO’s documentation that DUO does lock out an account after an administrator defined number of failed attempts (the default is 10).
To address this issue, we added a 10 attempt lockout for user and administrator accounts when trying 2FA authentication. Additional security measures were also added, such as requiring admin and user account password changes before an account’s lockout status can be reset, as well as logging out all existing sessions for a locked out admin user on password reset.
We also spent a significant amount of time and resources rewriting, reviewing, and testing our 2FA implementation to ensure there were no further issues with our approach and the underlying code.
Known Affected versions
- 11.0 releases prior to 11.0.1
- 10.0 releases prior to 10.0.18
- 9.0 and older are out of support and no longer receiving updates. It is unknown
whether issues in this advisory affect them.
Mitigation
These vulnerabilities were addressed in Cerberus FTP Server 11.0.1 and 10.0.18. Administrators are encouraged to upgrade to one of these versions or higher as soon as possible.
Older version of Cerberus FTP Server are no longer maintained and will not be seeing any security or bug fixes.
Credit
Special thanks to Claire Wong from BAE Systems Applied Intelligence for discovering and reporting this vulnerability.