Wednesday, February 18, 2009

vsftpd-2.1.0 released

I just released vsftpd-2.1.0, with full details being available on the vsftpd web page:

http://vsftpd.beasts.org/

It fixes a bunch of bugs and compile errors, introduces a few minor new features, has some code clean ups, etc. etc.

vsftpd-2.1.0 is interesting from a security perspective because of its changes to SSL support. It actual contains a reasonable resolution to the connection theft attack I blogged about here:

http://scarybeastsecurity.blogspot.com/2008/02/your-ftp-ssl-solution-is-really-secure.html

In the linked advisory I said "I have a crazy idea to use the SSL session cache as a cheezy form of authentication". Well, thanks to investigation by Tim Kosse of FileZilla fame, it turns out this is a very feasible option. Better still, a large number of clients already (whether they know it or not) use SSL session reuse between the control and data connection. This includes up to date versions of FileZilla, lftp and command line ftp-ssl. Therefore, vsftpd now defaults to requiring SSL session reuse. If your SSL FTP client does not re-use sessions, you can turn this off but you would do better to change FTP clients. Tim's FileZilla seems like a pretty awesome option to me. Hopefully other FTP servers will follow suit (quick source code scanning of popular open source ones seemed to lack a call to the relevant SSL_session_reused OpenSSL API.

Other new security features are:
  • A per-process memory map limit of 100Mb. Just because it was easy, really. Note however!!! A memory leak in a session-private, isolated child process of a daemon cannot really be considered a security problem in this day and age -- unless you're on crack.

  • An ambitious new built-in sandbox. Think of it as privsep++, but more on this in an upcoming post and paper.

32 comments:

  1. Get error message from make procedure.

    gcc -c ptracesandbox.c -O2 -Wall -W -Wshadow -idirafter dummyinc
    ptracesandbox.c: In function `ptrace_sandbox_permit_utime':
    ptracesandbox.c:914: `__NR_utimes' undeclared (first use in this function)
    ptracesandbox.c:914: (Each undeclared identifier is reported only once
    ptracesandbox.c:914: for each function it appears in.)
    make: *** [ptracesandbox.o] Error 1

    Should I need to install some required software ?

    ReplyDelete
  2. same as Allen`s problem
    os version is CentOS release 3.9 (Final)

    ReplyDelete
  3. Sorry about the build breakage, and thanks for trying to try it! Should be addressed at ftp://scary.beasts.org/users/cevans/vsftpd-2.1.1pre1.tar.gz

    ReplyDelete
  4. great it works with 2.1.1pre1 thanks lot

    ReplyDelete
  5. user_config_dir now requires a per-user config file to exist, login aborts with "500: OOPS: cannot open config file" otherwise.

    Was this intentional or is it an unexpected side-effect when removing the security check in handle_per_user_config()?

    ReplyDelete
  6. with LFTP | Version 3.7.9:
    ls: Access failed: 522 SSL connection failed; session reuse required

    You wrote:
    "This includes up to date versions of [...] lftp [...]"

    This lftp version is only 9 days old and it doesn't seem to support "session reuse". Not sure what exactly your idea of an "up to date version" of lftp is...

    ReplyDelete
  7. Chris,
    I need the command SITE MD5 added to VSFTPD. Can this be put into a release?

    ReplyDelete
  8. I'm gettting sporadic "Fatal error: SSL_read: wrong version number" error messages in old (3.7.0) and new (3.7.9) versions of lftp with the new vsftpd 2.1.0 while downloading :-(

    ReplyDelete
  9. In FileZilla 3.2.2.1 while downloading from a friend's "FTPES (FTP over explicit TLS/SSL)" encrypted vsftpd 2.1.0, I get following error often:

    Status: Server did not properly shut down TLS connection
    Error: Disconnected from server: ECONNABORTED - Connection aborted

    This means lots of resuming and is no good!

    ReplyDelete
  10. Trying to build this on a RedHat 9 box. Default build (of 2.1.1pre1) works fine, but trying to build it with SSL turned on give me this:

    ssl.o(.text+0xd2f): In function `ssl_cert_digest':
    : undefined reference to `EVP_sha256'

    ReplyDelete
  11. Just in case this may help someone else. I needed to install the latest version of vsftpd 2.1.0 on CentOS 5.2 (rebuild of Red Hat Enterprise Linux 5.2). Here are the steps I had to follow after many dead ends.

    1. Download the source rpm from ftp://rpmfind.net/linux/fedora/development/source/SRPMS/vsftpd-2.1.0-2.fc11.src.rpm into an empty working directory.

    2. Manually extract the files into the current working directory from the rpm using:

    rpm2cpio vsftpd-2.1.0-2.fc11.src.rpm | cpio -idmv --no-absolute-filenames

    This step and the following steps are necessary because rpmbuild fails when trying to rebuild.

    3. Extract the source files from the tarball contained in the source rpm:

    tar xvzf vsftpd-2.1.0.tar.gz

    The source files will now be in a subdirectory called vsftpd-2.1.0 and the patch files will be in the current directory.

    4. Apply the patches to the source code using:

    for patch in `ls vsftpd-2.1.0*.patch`; do patch -p0 < $patch; done

    5. Change to the vsftpd-2.1.0 subdirectory and add -lssl to the end of the LIBS line in Makefile.

    6. Run make.

    7. If all went well, you can you copy the vsftpd executable to /usr/sbin overwriting the previous version (2.0.5). You will want to back up your previous version before doing this.

    ReplyDelete
  12. The company that provides our SSL support has actively discouraged us from using SSL session resumption because they're aware of some FTPS servers that will disconnect as soon as it's used. So not only are you breaking a bunch of existing FTP clients by adding arbitrary requirements on top of the established spec, but you're forcing us to then break existing FTP servers in response. Thanks. Maybe we'll just suggest to our users that they switch to a less abusive server instead.

    ReplyDelete
  13. @Craig: Thanks for your comment and I understand where you are coming from.

    vsftpd is configurable; please feel free to use the option "require_ssl_reuse=NO".

    One of vsftpd's appeals is that it is arguably the most secure FTP server available. So, I'm sure you understand why the default is set the way it is. See http://scarybeastsecurity.blogspot.com/2008/02/your-ftp-ssl-solution-is-really-secure.html

    ReplyDelete
  14. HELP!!!
    I am trying to compile this on a Solaris 10u6 box. Keep hitting the same snag >>>

    ./vsf_findlibs.sh`
    Undefined first referenced
    symbol in file
    EVP_sha256 ssl.o
    ld: fatal: Symbol referencing errors. No output written to vsftpd
    collect2: ld returned 1 exit status
    *** Error code 1
    make: Fatal error: Command failed for target `vsftpd'

    We have installed openssl as a package (from sunfreeware) and compiled it locally, neither way has helped.

    Please, someone... call me names, tell me I'm stupid, anything as long as there is a working answer...
    Thanks

    ReplyDelete
  15. Further info:
    After it crashes during the 'make' and running the ./vsf_findlibs.sh seems to find them okay:
    # ./vsf_findlibs.sh
    -lpam
    -ldl
    -lsocket
    -lnsl
    -lresolv
    -lposix4
    -lposix4
    -lsendfile
    -lssl -lcrypto

    I apologize, I am not a programmer so if I am missing something I appreciate any help.
    Thanks,

    ReplyDelete
  16. Please HelpI have been able to compile on AIX and our Linux machines already come with vsftpd.
    Please someone, what is vsftpd looking for on Solaris that is causing the make to fail? How is the environment set up on those of you who have been able to successfully compile on Solaris?

    ReplyDelete
  17. user_config_dir now requires a per-user config file to exist, login aborts with "500: OOPS: cannot open config file" otherwise.

    Was this intentional or is it an unexpected side-effect when removing the security check in handle_per_user_config()?

    ---

    I see the same issue. Is there a workaround for this yet? This is sort of a big problem for me...

    ReplyDelete
  18. I was never able to overcome the 'make' errors. However, found http://www.blastwave.org/packages.php/vsftpd to have ssl compiled in, so all is well.
    Would have been nice if someone could have found a solution. I'm sure that there are others that have had the same issue.

    ReplyDelete
  19. Hello,
    @patrick.swartz, maybe you have the wrong OpenSSL version, must upgrade to 0.9.8 to successfully compile vsftpd, what's OpenSSL version ?

    ReplyDelete
  20. @openssl question - Our Solaris boxes have OpenSSL 0.9.7d 17, which might have been the problem. Am going to stick to the package from blastwave as we have numerous servers to deploy to and packages are easier.
    Speaking of packages ---
    I was able to successfully build on our AIX 5.3 test server, however, I am not allowed to install all of the compiling parts on our production systems. So....
    Can someone help create a RPM or at maybe a good rpm spec file so I can run rpm build?
    Thank everyone for your help,
    Patrick

    ReplyDelete
  21. This comment has been removed by the author.

    ReplyDelete
  22. I use vsftpd 2.1.0 and filezilla 3.2.4.1 and I ALWAYS get:
    522 SSL connection failed; session reuse required

    filezilla support you said??

    ReplyDelete
  23. @A. Mustermann: that's strange. I don't get that with LFTP 3.7.8 (with GnuTLS 2.4.2) on my Ubuntu 9.04 machine. vsftpd linked to openssl-0.9.8g-15ubuntu. I'd love to know what is causing the difference. In the meantime, check out my April 7 post about require_ssl_reuse.

    @Gelegrodan: same sort of comment; works fine with FileZilla 3.2.2.1 (GnuTLS 2.4.2-6) on my Ubuntu 9.04. You can again fix this by checking my April 7 post about require_ssl_reuse.

    ReplyDelete
  24. @Hans: looking into this. What OS are you running vsftpd on? It could be related to another report I've had of the data_connection_timeout firing when it should not.

    ReplyDelete
  25. @Hans: Ah, just reproduced it. I'll get v2.1.1 out with a fix ASAP, hopefully tomorrow otherwise after the long weekend.

    ReplyDelete
  26. @Anonymous: the regression relating to per-user config file loading will be fixed in v2.1.1. Absence of a given per-user file will be silently ignored once more.

    ReplyDelete
  27. Thanks, reuse=NO option saved my life

    ReplyDelete
  28. Thanks a lot for this new release vsftpd-2.1.0 . Cheers

    ReplyDelete
  29. Do you plan to solve that bug where fireftp cannot connect to vsftp using tls/ssl?

    ReplyDelete
  30. We would like to use the require_ssl_reuse option in the user config file, but it doesn't seem to take unless we put in the main config. Can you confirm that's how its working?

    ReplyDelete
  31. Hi Chris,

    I've been using vsftpd for a few years as my go-to FTP server on Ubuntu. It's great; thanks!

    However, I seem to have a problem now with version 2.2.2-3ubuntu6.3, where it is not honouring the require_ssl_reuse=NO setting in the main vsftpd.conf.

    Here is the message from the server:

    522 SSL connection failed; session reuse required: see require_ssl_reuse option in vsftpd.conf man page

    I'm using the FTP plugin for Total Command for Android.

    Here is the line from my config:

    require_ssl_reuse=NO

    Any idea why this setting would not take?

    ReplyDelete
  32. I am discussing (hopefully) the relationship of require_ssl_reuse and Java FTP clients here:

    http://mail.openjdk.java.net/pipermail/security-dev/2016-December/015252.html

    ReplyDelete