Security Advisory Description
Cerberus FTP Server uses cURL in some Event Manager options. By default when linked with OpenSSL, cURL attempts to find openssl.cnf; the search will look at the system environment variables, Registry, or the default build location. If none of these exist, a regular user might be able to create the non-privileged build directory path and create their own openssl.cnf. Control over openssl.cnf could allow them to inject code to be run by the account running Cerberus FTP Server at the next reload. This vulnerability is covered in CVE-2019-5443.
Fix
Cerberus FTP Server version 11.3.5 contains a change to mitigate this threat: cURL is now built never to load openssl.cnf.
Scope
- This vulnerability impacts all editions of Cerberus FTP Server.
Known Affected Versions
- 11.0 releases prior to 11.3.5
- 10.0 and earlier do not use cURL and are not affected
Mitigation
This issue is addressed in version 11.3.5. As always, Cerberus Administrators are urged to upgrade to these versions or higher as soon as possible.
Until the upgrade can be completed, Cerberus Administrators may mitigate this vulnerability through the registry configuration detailed below:
- Define a REG_EXPAND_SZ entry in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\OPENSSL_CONF with a value such as %SystemRoot%\system32\openssl\openssl.cnf
This fix references a protected path. A non-existent configuration file will be skipped but cannot be created or modified by a non-privileged user.
Credit
Special thanks to Xavier DANEST at Decathlon for reporting this vulnerability.