As part of our continuous effort to pursue security best practices, Cerberus FTP Server now issues a security warning when FTP and FTPS listeners do not enforce session reuse.
Once upgraded to version 12.7, running Cerberus FTP Server with FTP or FTPS listeners that do not require session reuse will trigger a new system message (Warning) and affected listeners will be marked as “Not Secure”:
The first part of the message indicates the listener type, FTP or FTPS. The ‘#’ symbol will be replaced with the listener number. The final part describes the risk and links to this FAQ article.
This warning addresses a risk that arises from how the FTP protocol works with its separate control and data channels in passive mode. In order to prevent another current user from hijacking a new passive data connection, session reuse takes advantage of TLS features to verify that a resumed data connection pairs with the same active control connection.
This feature is turned on for secure default FTP/S listeners when upgrading, but existing listeners are unchanged.
The Filezilla client now requires this feature and provides no option to disable it; therefore, we will always turn this feature on for Filezilla even if this option is not enabled. Other clients will only be forced to use the feature if enabled.
To enable/disable this feature, Administrators can select an FTP/S listener in Server Manager / Listeners. Require Session Reuse is only available when both Require Secure Control and Require Secure Data are enabled. The option appears as shown below.
For more information, please read this FAQ article and consider which of the presented options are appropriate for your specific needs.
As always, we look forward to hearing how our customers use Cerberus and any additional improvements that would help make Cerberus FTP Server as secure as can be. We would love to hear your feedback.