Search

GlobalSCAPE Knowledge Base

Globalscape's answers to potential vulnerabilities

Karla Marsh
General

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • All products, all versions

DISCUSSION

Over the past decade, EFT has been subjected to a large number of security assessments and pen tests conducted by Globalscape’s customers across a wide variety of verticals (banking and finance, government, healthcare, detail, etc.).

The type of security testing employed by Globalscape’s customers, along with the tools and techniques used, is often dictated by a combination of the organization’s budget and its internal security posture. Based on historical observations, those techniques are typically grouped into the following three categories, from least to most expensive: 

1. The organization uses internal IT staff to leverage homegrown or freely available tools to perform manual penetration tests, including fuzzing tools, debuggers, and similar tools.

2. The organization leverages third-application security testing tools such as HP’s WebInspect, IBM’ AppScan, Tenable’s Nessus, Paladion’s Plynt, among others.

3. The organization outsources pen testing to a third party, such as ProCheckup, OneConsult, Emaze Networks, A&O Corsaire, SEC Consult, LTI, Cenzic Hailstorm, and many others.

Pen test results of any significance are often shared with Globalscape, typically under NDA. Globalscape has a formal process in place to review potential vulnerabilities, beginning with an in-depth technical assessment by Globalscape’s engineering department, which includes categorizing vulnerabilities according to their security impact using CVSS’ scoring methodology, followed by a formal technical response that is delivered to our customers detailing whether the vulnerability is a false positive or not, its CVSS score where applicable, any workarounds if available, and the expected fix and remediation timeline.

To date, no active exploit or high CVSS scoring vulnerability has been identified, with most vulnerabilities centered around implementation of best practices, such as applying proper anti-CSRF techniques to EFT’s web app pages, using appropriate headers, tagging cookies as HttpOnly, and similar OWASP recommended security techniques. On occasion, a vulnerability is reported as a question, such as “How does EFT mitigate against Spectre, Meltdown, or Poodle?” which may result in a fix being deployed, or simply a knowledgebase article that explains how EFT is or is not affected by said situation.

For the year 2018, for example, the following vulnerabilities were reported:

  • A lack of comprehensive support for “no-cache” in addition to the already present “no-store” cache controls 

  • Questions on whether EFT was affected by Meltdown or Spectre vulnerabilities.

  • Concern over CSFR token being communicated over a URL rather than in headers on one of WTC’s pages, in accordance with best practices 

  • A request that EFT provide configurable options so as to only accept a given set of host headers to reduce the risk of a host header injection attack (addressed in EFT 7.4.11)

These were minor concerns, with no actual vulnerability or exploit reported, instead mainly consisting of adherence to security best practices.

In addition to customer security testing, which comprises the bulk of EFT’s security testing (due to the broad set of tools and techniques used across our customer base), Globalscape conducts its own security testing by using freely available tools provided by HTBridge and Qualsys, applying said scans against each new release of EFT, in particular, its public-facing web client app. Customers can repeat these tests in their own environment by accessing these services directly, as results will varying depending on EFT’s configuration. For example, disabling TLS 1.1 in order to force TLS 1.2 will yield a higher score than if TLS 1.1 is left enabled by default.

Through this combination of direct security testing by Globalscape and indirect third-party security testing by our customers, EFT is subjected to an almost constant barrage of tests, which helps us achieve a high level of confidence in the security of our platform. At the same time, we practice “security by design,” continually striving to find that perfect balance between optimal flexibility while minimizing attack vectors, so that we can maintain our long-standing reputation as a highly secure yet infinitely flexible MFT platform.

Any security vulnerabilities found were promptly addressed and included in subsequent patch or major release versions of the software, as captured in the version history. (On the version history page for your product, search for "security.")

Below is a list of Globalscape Knowledgebase articles discussing vulnerabilities addressed in our products.

All products:

TITLE

VERSION

TCP Sequence Number Approximation Vulnerability

all versions

DMZ Gateway version 3.x uses Java 1.6.0 build 14. Is there any concern over known remote vulnerabilities in this version of Java?

DMZ v3

Q: What is GlobalSCAPE’s response to the SSL/TLS BEAST exploit?

all versions

The server issued one or more cookies that did not have the HttpOnly flag set

6.4.0 and later

Does Globalscape release security patches for products separate from general version releases?

all

Are Globalscape applications being developed using common secure coding practices?

all

Has penetration testing been done against EFT Server?

all

Is EFT Server vulnerable to the CRIME attack on the SSL protocol?

all versions

The Heartbleed OpenSSL Vulnerability and Mail Express

3.3 and later

EFT and SSL Vulnerabilities

all

The POODLE OpenSSL Vulnerability and Mail Express

3.3 and later

The POODLE OpenSSL Vulnerability and Enhanced File Transfer (EFT)

all

Does the GHOST vulnerability affect any Globalscape products?

all

EFT v7.1.1 and later OpenSSL Registry Overrides

7.1.1 and later

Is EFT affected by CVE-2015-4000 (AKA "Logjam")?

all

Mail Express® is NOT vulnerable to the Apache Commons Library exploit

all

Enable or Disable Diffie-Hellman-group1-sha1 KEX for SFTP

7.2.1 and later

Is EFT vulnerable to SSL vulnerability CVE-2016-6303 (DoS attack)?

all versions

Is the HTML editor in CuteFTP affected by the compromised scilexer.dll?

all

Bleichenbacher's ROBOT Vulnerability

all

Is EFT affected by the recent “Meltdown” and “Spectre” vulnerabilities?

all

Why is the EFT Web Transfer Client (WTC) using an older version of jQuery?

8.0.4 and earlier

Globalscape's answers to potential vulnerabilities

all

EFT is NOT affected by the LibSSH vulnerability

all

EFT Penetration Test Results FAQ

7 - 8.0.4

Penetration testing reports indicate that uploading files to EFT is a security risk. How can I prevent that?

all

XFF and DoS Security Vulnerability

7.4.5.6 and later

Is my EFT Arcus implementation susceptible to the Azure Stack vulnerabilities?

all

Is EFT vulnerable to the Raccoon attack?

all

Are Globalscape products affected by the Log4j v2 security vulnerabilities?

all

Are any Globalscape products affected by the Spring4shell vulnerability?

all

Improper Handling of Exceptional Conditions in Newtonsoft.Json

all

Is EFT susceptible to the Zip Slip vulnerability?

EFT v8.0.0.38 and 8.1.0.14

Is EFT susceptible to the "Authentication Bypass via Out-of-bounds Memory Read " vulnerability?

EFT v8.0.0.38 and 8.1.0.14

Is EFT susceptible to the "Password Leak Due to Insecure Defaults" vulnerability?

EFT v8.x and 8.1.0.14

Is EFT susceptible to the "Denial of service via recursive Deflate Stream" vulnerability?

EFT v8.x and 8.1.0.14

Is EFT susceptible to the "Remotely obtain HDD serial number" vulnerability?

EFT v8.x and 8.1.0.14

Securing your Globalscape Solution

All

SSL-Security-Levels-and-CuteFTP

EFT and CuteFTP

Specify CSP to Pass Security Web Scans and to use Google reCaptch for Drop-Off

EFT v7.4.11 and later

Security Audit report states weak ciphers are enabled in EFT.

EFT v7.x and late

Details
Last Modified: 3 Months Ago
Last Modified By: kmarsh
Type: INFO
Rated 2 stars based on 9 votes.
Article has been viewed 56K times.
Options
Also In This Category
Tags