Monday, 22 April 2013 - we have discovered a security vulnerability affecting SFTPPlus Server version 1.6, 1.7 and 1.8.
Due to an error in checking the SSH key signature, when SSH key authentication is used for a SFTP transfer, a user can obtain server access by using only the public part of the SSH key.
Access with only a public SSH key is still restricted to the specific account for which the public key is enabled. Full server access is not granted.
To exploit this security issue a 3rd party needs to hold a copy of the public SSH key and use it together with a modified SFTP client which allows initiating a SFTP session without requiring a private SSH key.
This does not affect SFTP transfers for which SSH key authentication is not enabled.
This does not affect FTP or FTPS transfers.
This does not affect SFTPPlus Server version 1.5 and below.
This does not affect SFTPPlus Client at any version.
Available fix
To fix this error we have released new versions of SFTPPlus Server for all supported release series.
Update for release series 1.8 together with documentation is available at:
http://www.sftpplus.com/documentation/server/v/1.8.6/
Update for release series 1.7 together with documentation is available at:
http://www.sftpplus.com/documentation/server/v/1.7.21/
Users of version 1.6 are asked to upgrade to latest version 1.8.6 . Beside the latest security fix, upgrading to 1.8.6 will also provide other fixed and new features.
In case you are not able to upgrade to one of the latest supported versions, please let us know and we will work together in making sure this security error is fixed for your production servers.
We apologize for any inconvenience that may occur as a result of these changes!