After updating to Cerberus FTP Server 12.7.0 and above, you may find your 'FTP Access' is now marked 'Not Secure' and there are one or more messages in System Messages stating 'FTP listener 'x' can allow session hijacking in passive secure data connections'.
This warning highlights a risk that arises from how the FTP protocol works with its separate control and data channels in passive mode. In order to prevent another current user from hijacking a new passive data connection, Cerberus now has an FTP setting that requires session reuse. Session reuse takes advantage of TLS features to verify that a resumed data connection pairs with the same active control connection.
FTP is unusual in that it has a control channel and a data channel. Data connections can be made from the server back to the client or vice versa, but today, due to firewalls, the client usually connects back to the server using passive mode. While only the client will know the port number to be used for the data connection, the problem is only a subset of available ports are typically used for the data channel. If you have a busy server, attackers can try random ports and may eventually find an open data connection and hijack it.
Reusing the TLS session protects you from the possibility that an attacker could hijack an FTP data connection. If the server requires that the same TLS session be used for the data connection resumption, the attacker will not be able to start their own TLS session, preventing them from accessing any data.
This works because the server and the client share an encrypted session key. The client can pass that key back to the server to connect to the data channel. The server, when this feature is enabled, checks the key from the control channel and only allows the data connection if they match.
Until now, Cerberus has not had an option to enforce this requirement and has left it up to the client. With this new setting, administrators can now make this required and remove any risk posed by the vulnerability.
We are not requiring this setting as some old client software (more than 10 - 15 years old) may not support this feature and some newer clients may not have it enabled, and we do not want to risk breaking existing processes. However, we strongly encourage turning the feature on. It should only be off if the client software cannot be updated to support session reuse.
As of Cerberus 12.7.0, administrators have three options:
- Secure your FTP and FTPS listeners by turning on the option and make sure all the clients are updated to handle session reuse;
- Create a separate FTP/FTPS listener on a custom port for the old client only. On that listener you can keep the reuse option off and/or turn off 'require secure data' and 'require secure control'. It is strongly recommended to restrict connections to it by IP to prevent others connecting to it, or;
- Turn off require session reuse and dismiss the Summary message as a last resort if you have clients that cannot update their software. Again, it's strongly recommended to IP restrict access to this listener. Ensure that 'require secure control' and 'require secure data' are still ON where possible.
To turn on the option and remove the Summary message, navigate to 'Server Manager' > 'Listeners'
- Click on the 'FTP' listener with your server IP address listed on it to highlight it
- Scroll down to see the listener settings
- Click the checkbox marked 'Require Session Reuse'
- Scroll to the bottom of the page and press 'Update' to save
- A Cerberus service restart will be required for the setting to be enabled.
If an administrator choses not to enable the option, and wants to dismiss the system message on the Cerberus user interface, click the 'X' next to the message to dismiss it.