Security Advisory Description
Cerberus FTP Server uses OpenSSL. Our pseudo random number generator (PNRG) seeding process utilizes a number of methods and sources. OpenSSL supports Intel’s RDRAND instruction; on processors without this instruction (Intel before 3rd generation Ivy Bridge in 2012 and AMD before 2015) our initialization looked for rdrand.dll in an unprotected directory.
If the path accessed to find rdrand.dll does not exist, a regular user might be able to create the non-privileged path and create their own DLL. Control over a DLL loaded into OpenSSL could allow them to inject code to be run by the account running Cerberus FTP Server at the next reload.
In addition, our Windows code tried to access a non-existent unprotected source to help seed the PNRG. However, even if this source were compromised with known data, it would not compromise the overall PNRG initialization. Our PNRG seeding process utilizes a number of additional methods and sources to ensure sufficient entropy.
Fix
Cerberus FTP Server version 11.3.6 contains a number of changes to remove these threats.
- Any access to OpenSSL resources will now be within protected directories.
- We removed the code that caused OpenSSL to search for rdrand.dll on old processors.
- We removed access to the unprotected entropy source in Windows.
Scope
- This vulnerability impacts all editions of Cerberus FTP Server.
Known Affected Versions
- 11.0 releases prior to 11.3.6
- 10.0 releases prior to 10.0.31
- 9.0 and earlier are also affected. These versions are out of support and no longer receive updates.
Mitigation
This issue is addressed in version 11.3.6 and 10.0.31. As always, Cerberus Administrators are urged to upgrade to these versions or higher as soon as possible.
This issue only affects instances running on older generations of processors.
Credit
Special thanks to Xavier DANEST at Decathlon for reporting this vulnerability.