Security Advisory Description
Cerberus FTP Server Enterprise Edition prior to versions 11.0.3 and 10.0.18 are vulnerable to a permissions bypass when a user has zip/unzip permission. When zipping, users could zip files and folders that weren’t visible to them; and when unzipping, users could extract directories even if they did not have the “Create Directory” permission.
Zip/Unzip permissions granted implied permissions that were not well articulated and could conflict with specific Administrator applied permissions. We have made updates to allow only those actions specifically granted which should make it more clear to Administrators what a user can and cannot do with Zip/Unzip.
How Zip/Unzip handles Permissions
The guiding principle in implementing these rules was to make zip/unzip consistent with what a user sees in the Web Client. If they can’t see a file/directory, they can’t access/overwrite it.
Granting a user zip permission will allow them to create a zip file. This zip file will only contain files and directories that the user would be able to see and access through the Web Client. The user will be notified if files were skipped and a log entry created for the Administrator.
Granting a user unzip permission will allow them to unzip an existing zip file. Unzipping requires “List Files” permission, otherwise the user can’t see the file to unzip it. “List Directory” is required to extract directories; files will be added to existing directories. “Create Directory” is required to add a new directory; existing directories will never be overwritten. A user cannot extract hidden files unless they have the “Show Hidden” permission. Overwriting files requires “Delete” permission. If extracting a file would violate permissions, the user is notified the unzip was not complete and a detailed log entry is created for the Administrator.
Scope
- This vulnerability impacts Cerberus FTP Server Enterprise deployments using HTTP(S) listeners with one or more user with Zip/Unzip permission enabled.
- Non-Enterprise editions of Cerberus are not affected, as the HTTP(S) protocols are only a feature of the Enterprise edition.
- Other transfer protocols, such as FTP, SFTP, and FTPS, are unaffected.
Known Affected Versions
- 11.0 releases prior to 11.0.3
- 10.0 releases prior to 10.0.18
- 9.0 and older are out of support and no longer receiving updates. It is unknown
whether issues in this advisory affect them.
Mitigation
This issue is addressed in version 11.0.3 and 10.0.18. Cerberus Administrators are encouraged to upgrade to one of these versions or higher as soon as possible.
Until upgrade is complete, Cerberus administrators may mitigate by disabling zip/unzip permissions for individual users.
Credit
Special thanks to security researcher Quinn Zapata of Avalara for discovering and reporting this vulnerability.