#VU43432 Cryptographic issues in FTP Server - CVE-2012-5301

Cybersecurity Help s.r.o.

Published: 2012-10-04 | Updated: 2020-08-11

Vulnerability identifier: #VU43432

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2012-5301

CWE-ID: CWE-310

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
FTP Server
Server applications / Other server solutions

Vendor: Cerberus

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The default configuration of Cerberus FTP Server before 5.0.4.0 supports the DES cipher for SSH sessions, which makes it easier for remote attackers to obtain sensitive information by sniffing the network and performing a brute-force attack on the encrypted data.

Mitigation
Install update from vendor's website.

Vulnerable software versions

FTP Server: 1.0 - 5.0.3.0

External links
https://www.cerberusftp.com/products/releasenotes.html
https://exchange.xforce.ibmcloud.com/vulnerabilities/79503

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Cryptographic issues in Cerberus FTP Server