VanDyke Software

Security Advisory

Security Advisory

VShell FTPS and the OpenSSL Heartbleed Vulnerability


Posted: April 22, 2014

Description

This information applies only to VShell FTPS versions. VShell (SSH2/SFTP), regardless of platform and version, is not affected by the Heartbleed vulnerability because it does not provide FTPS connectivity.

VShell FTPS for Windows has never used OpenSSL. VShell FTPS for Windows is not affected by the Heartbleed vulnerability.

VShell FTPS for supported UNIX platforms uses OpenSSL for FTPS protocol support. Depending on the platform, VShell FTPS for UNIX may or may not be vulnerable to the Heartbleed vulnerability:

  • On Mac OS X, VShell FTPS 4.0.0 and 4.0.1 uses and ships with a version of OpenSSL that is vulnerable to the Heartbleed bug. The VShell 4.0.2 maintenance release will address this by shipping with a version of OpenSSL (1.0.1g) that contains the fix for the Heartbleed bug. Besides 4.0.0 and 4.0.1, no other VShell versions are affected on the Mac OS X platform.
  • On AIX 7.1, Ubuntu 12/13, and RHEL 6, VShell FTPS dynamically links OpenSSL version 1.0.1. This means that vshell-ftpsd will load the version of OpenSSL 1.0.1 that is installed on the system. On these platforms, it is highly recommended that the OpenSSL version be upgraded to the non-vulnerable 1.0.1g version. Upgrading VShell is not necessary on these platforms, but vshell-ftpsd will need to be restarted after an OpenSSL upgrade so the non-vulnerable version will be loaded.
  • On all other UNIX platforms, VShell FTPS is using OpenSSL version 0.9.8 or 1.0.0, neither of which is affected by the Heartbleed vulnerability.

In addition to upgrading VShell or OpenSSL on vulnerable systems, it is recommended that any SSL certificates, including associated private keys, used by VShell FTPS be replaced and user passwords should be changed.

Operating System OpenSSL VersionLinked Vulnerable? Action
Windows Not Used N/A No None
Ubuntu, RHEL, AIX 1.0.1 Dynamic Possible Upgrade OpenSSL on OS to a non-vulnerable version
Mac OS X 1.0.1Static
(VShell 4.0.0 & 4.0.1 only)
Yes Upgrade to VShell 4.0.2 or later
FreeBSD 0.9.8 Dynamic No None
SUSE 11 0.9.8 Dynamic No None
SUSE 12 1.0.0 Dynamic No None
Solaris 10 0.9.8 Static No None
Solaris 11 1.0.0 Dynamic No None

Official Postings

CERT published an advisory on this vulnerability on April 7, 2014.

CODENOMICON published an advisory on this vulnerability on April 15, 2014.

Revision History

April 22, 2014 - Security Advisory published.