--------------------------------------------------------------------------------

Advisory ID: SYSS-2014-006
Product: SmartFTP 
Vendor: SmartSoft Ltd.
Affected Version(s): 5.0.1353.0
Tested Version(s): SmartFTP 5.0.1353.0 (Windows 7 32 Bit)
Vulnerability Type: X.509 validation
Risk Level: Medium
Solution Status:
Vendor Notification: 2014-04-09
Solution Date:
Public Disclosure: 2014-05-26
CVE Reference: Not assigned, yet
Author of Advisory: Micha Borrmann (SySS GmbH)

--------------------------------------------------------------------------------

Overview: SmartFTP is not validating X.509 certificates, if FTP with TLS is used

--------------------------------------------------------------------------------

Vulnerability Details:
A user can not recognize an easy to perform man-in-the-middle attack, because the client is not validate the X.509 certificate from the FTP server (it means the client accept any, also self-signed X.509 certificates). In an untrusted networking environment (like a Wifi hotspot), the current FTP AUTH TLS connection with FTPGetter Standard should be classified as not encrypted. This is also a violation against the own website, because it is written at https://www.smartftp.com/support/kb/what-is-ssl-f3.html

The server sends the client a certificate and a public key for encryption. If the client accepts/trusts the server's certificate, an SSL connection can be established.

--------------------------------------------------------------------------------

Proof of Concept (PoC): not needed

--------------------------------------------------------------------------------

Solution: use another client for FTP with AUTH TLS

--------------------------------------------------------------------------------

Disclosure Timeline:

April 9, 2014 - Vulnerability discovered
April 9, 2014 - Vulnerability reported to vendor

--------------------------------------------------------------------------------

References:

--------------------------------------------------------------------------------

Credits:

Security vulnerability found by Micha Borrmann of the SySS GmbH.

E-Mail: micha.borrmann (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Micha_Borrmann.asc
Key fingerprint = 6897 7B33 B359 B8BA 0884  969F FC67 EBA9 1B51 128A

--------------------------------------------------------------------------------

Disclaimer:

The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site.

--------------------------------------------------------------------------------

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en