Security Advisory Description

Cerberus FTP Server versions prior to 12.1 and 11.3.9 are vulnerable to a SSL Renegotiation Denial of Service attack. This vulnerability is a form of CVE-2011-1473 which abuses the normal TLS/SSL connection process to create excessive CPU usage on the server. When used maliciously, a client can initiate a secure connection and repeatedly renegotiate the security settings by rejecting the server’s reply. During the connection process, the server requires many more times the computation required by the client; this asymmetry allows a single client to potentially overwhelm a much more powerful server.

This issue does not allow any unauthorized access to the server nor does it crash the server, but it can result in a very slow response and potentially dropped or missed valid connections.

Cerberus has added additional functionality to the IP Manager Auto-Blocking feature to detect this type of attack, eliminate the excessive CPU usage, immediately drop the connection and block the originating IP address if it persists beyond the administrator’s settings.

Scope

  • This vulnerability impacts all editions of Cerberus FTP Server.

Known Affected Versions

  • 12.0 releases prior to 12.1
  • 11.0 releases prior to 11.3.9
  • 10.0 and earlier are also affected. These versions are out of support and no longer receive updates.

Mitigation

This issue is addressed in version 12.1 and 11.3.9. As always, Cerberus Administrators are urged to upgrade to these versions or higher as soon as possible. There are no known mitigations beyond limiting connection access to the server.

Credit

This vulnerability was discovered and reported by one of our valued customers. Special thanks for their efforts.