SecurityReason - Jscape Secure FTP Applet

Advisory Text :

n.runs AG
http://www.nruns.com/
security(at)nruns.com
n.runs-SA-2008.001
23-June-2008

________________________________________________________________________
____
____

Vendor: Jscape, http://www.jscape.com/
Affected Products: Jscape Secure FTP Applet
http://www.jscape.com/sftpapplet/index.html
Vulnerability: SSH Host key is not verified allowing for Man in the
Middle
attacks
Risk: High
________________________________________________________________________
____
____

Overview
^^^^^^^^
JSCAPE software has been deployed in a wide array of industries including
aerospace, banking, communications, education, insurance, finance,
government and software. With customers in more than 50 countries
worldwide
the following is a small sample of companies who use JSCAPE products and
services. Customers include Boeing, SUN, ISS, SAP - See
http://www.jscape.com/clients.html for more details.

Secure FTP Applet is a secure FTP client component that runs within your
web
browser. Secure FTP Applet [..] while encrypting all data exchanged
between
the client and server using either the SFTP (FTP over SSH) or FTPS (FTP
over
SSL) protocols [..] ensuring that all data exchanged is completely secure.

Description
^^^^^^^^^^^
During the connection the Applet does not verify or display the host key.
As
such n.runs was able to perform a man in the middle attack during a
penetration test at a client.
Read more about SSH Host verification:
http://www.securityfocus.com/infocus/1806

Impact
^^^^^^
The supposedly secure connection is no longer secure. n.runs was able to
extract login, password and data with a simple SSH Man in the Middle
attack.

Solution:
^^^^^^^^^
Upgrade to version 4.9.0 or above

________________________________________________________________________
____
____

Vendor communication:

2006/04/12 n.runs sends a Vulnerability notice informing Jscape about
the
nature of the problem and the impact.
2006/04/13 Jscape acknowledges and ask for more details
2006/04/13 n.runs sends more details
2007/07/26 n.runs asks for feedback and if the problem has been
patched
2007/07/26 Jscape replies "We do not have a release date yet for this
task"
2007/07/26 n.runs asks whether they can offer a estimate when the
patch
will be available
2007/07/26 Jscape answers again "We do not have a release date yet for
this
task"
2008/02/19 n.runs requests a statement to be used in the advisory as
there
seems to be no intention to patch and argues "you deem this

problem as low yet it renders the *secure connection*
insecure."
2008/02/20 Jscape promises to "continue to look into this issue and
notify
you when a patch is available.
2008/02/25 n.runs notifies Jscape that an advisory will be released by
the
end of the week if they do not patch the flaw n.runs
reported

roughly 2 years ago.
"Given the long time this has already been reported
(12/2006),
and the criticality of this issue, I would expect a patch
to
be
ready by the end of the week. If the patch is not available
until
the end of this week (29.02.2008) I'll proceed with the
advisory"
2008/02/29 Jscape notifies n.runs that the flaw has been patched
2008/06/01 n.runs verifies the patch and confirms that Man in the
Middle
is
not longer possible if the user does not accept the new key.

n.runs however recommends that Jscape warns the users of the

security implications of a new SSH Host key rather then
simply
displaying "New Host key".
________________________________________________________________________
____
____

Credit
^^^^^^
Vulnerability discovered by Frank Dick and Thierry Zoller of n.runs AG.

About n.runs
^^^^^^^^^^^^
n.runs AG is a vendor-independent consulting company specialising in the
areas of: IT Infrastructure, IT Security and IT Business Consulting. In
2007, n.runs expanded its core business area, which until then had been
project based consulting, to include the development of high-end security
solutions.
Application Protection System - Anti Virus (aps-AV) is the first high-end
security solution that n.runs is bringing to the market.

Advisories can be found at : http://www.nruns.com/security_advisory.php

Copyright Notice
^^^^^^^^^^^^^^^^
Unnaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
security (at) nruns (dot) com [email concealed] for permission. Use of the
advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded.
In
no event shall n.runs be liable for any damages whatsoever including
direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if n.runs has been advised of the possibility of such
damages.

Copyright n.runs AG. All rights reserved. Terms of use apply.

________________________________________________________________________
____
____

Subscribe to the n.runs newsletter to be informed of the latest threats
and
tools by signing up to : http://www.nruns.com/newsletter_en.php