Wednesday, February 18, 2009

vsftpd-2.1.0 released

I just released vsftpd-2.1.0, with full details being available on the vsftpd web page:

http://vsftpd.beasts.org/

It fixes a bunch of bugs and compile errors, introduces a few minor new features, has some code clean ups, etc. etc.

vsftpd-2.1.0 is interesting from a security perspective because of its changes to SSL support. It actual contains a reasonable resolution to the connection theft attack I blogged about here:

http://scarybeastsecurity.blogspot.com/2008/02/your-ftp-ssl-solution-is-really-secure.html

In the linked advisory I said "I have a crazy idea to use the SSL session cache as a cheezy form of authentication". Well, thanks to investigation by Tim Kosse of FileZilla fame, it turns out this is a very feasible option. Better still, a large number of clients already (whether they know it or not) use SSL session reuse between the control and data connection. This includes up to date versions of FileZilla, lftp and command line ftp-ssl. Therefore, vsftpd now defaults to requiring SSL session reuse. If your SSL FTP client does not re-use sessions, you can turn this off but you would do better to change FTP clients. Tim's FileZilla seems like a pretty awesome option to me. Hopefully other FTP servers will follow suit (quick source code scanning of popular open source ones seemed to lack a call to the relevant SSL_session_reused OpenSSL API.

Other new security features are:
  • A per-process memory map limit of 100Mb. Just because it was easy, really. Note however!!! A memory leak in a session-private, isolated child process of a daemon cannot really be considered a security problem in this day and age -- unless you're on crack.

  • An ambitious new built-in sandbox. Think of it as privsep++, but more on this in an upcoming post and paper.

32 comments:

AllenChuang said...

Get error message from make procedure.

gcc -c ptracesandbox.c -O2 -Wall -W -Wshadow -idirafter dummyinc
ptracesandbox.c: In function `ptrace_sandbox_permit_utime':
ptracesandbox.c:914: `__NR_utimes' undeclared (first use in this function)
ptracesandbox.c:914: (Each undeclared identifier is reported only once
ptracesandbox.c:914: for each function it appears in.)
make: *** [ptracesandbox.o] Error 1

Should I need to install some required software ?

Anonymous said...

same as Allen`s problem
os version is CentOS release 3.9 (Final)

Chris Evans said...

Sorry about the build breakage, and thanks for trying to try it! Should be addressed at ftp://scary.beasts.org/users/cevans/vsftpd-2.1.1pre1.tar.gz

Anonymous said...

great it works with 2.1.1pre1 thanks lot

Anonymous said...

user_config_dir now requires a per-user config file to exist, login aborts with "500: OOPS: cannot open config file" otherwise.

Was this intentional or is it an unexpected side-effect when removing the security check in handle_per_user_config()?

Anonymous said...

with LFTP | Version 3.7.9:
ls: Access failed: 522 SSL connection failed; session reuse required

You wrote:
"This includes up to date versions of [...] lftp [...]"

This lftp version is only 9 days old and it doesn't seem to support "session reuse". Not sure what exactly your idea of an "up to date version" of lftp is...

Anonymous said...

Chris,
I need the command SITE MD5 added to VSFTPD. Can this be put into a release?

Anonymous said...

I'm gettting sporadic "Fatal error: SSL_read: wrong version number" error messages in old (3.7.0) and new (3.7.9) versions of lftp with the new vsftpd 2.1.0 while downloading :-(

Anonymous said...

In FileZilla 3.2.2.1 while downloading from a friend's "FTPES (FTP over explicit TLS/SSL)" encrypted vsftpd 2.1.0, I get following error often:

Status: Server did not properly shut down TLS connection
Error: Disconnected from server: ECONNABORTED - Connection aborted

This means lots of resuming and is no good!

Anonymous said...

Trying to build this on a RedHat 9 box. Default build (of 2.1.1pre1) works fine, but trying to build it with SSL turned on give me this:

ssl.o(.text+0xd2f): In function `ssl_cert_digest':
: undefined reference to `EVP_sha256'

Anonymous said...

Just in case this may help someone else. I needed to install the latest version of vsftpd 2.1.0 on CentOS 5.2 (rebuild of Red Hat Enterprise Linux 5.2). Here are the steps I had to follow after many dead ends.

1. Download the source rpm from ftp://rpmfind.net/linux/fedora/development/source/SRPMS/vsftpd-2.1.0-2.fc11.src.rpm into an empty working directory.

2. Manually extract the files into the current working directory from the rpm using:

rpm2cpio vsftpd-2.1.0-2.fc11.src.rpm | cpio -idmv --no-absolute-filenames

This step and the following steps are necessary because rpmbuild fails when trying to rebuild.

3. Extract the source files from the tarball contained in the source rpm:

tar xvzf vsftpd-2.1.0.tar.gz

The source files will now be in a subdirectory called vsftpd-2.1.0 and the patch files will be in the current directory.

4. Apply the patches to the source code using:

for patch in `ls vsftpd-2.1.0*.patch`; do patch -p0 < $patch; done

5. Change to the vsftpd-2.1.0 subdirectory and add -lssl to the end of the LIBS line in Makefile.

6. Run make.

7. If all went well, you can you copy the vsftpd executable to /usr/sbin overwriting the previous version (2.0.5). You will want to back up your previous version before doing this.

Craig Peterson said...

The company that provides our SSL support has actively discouraged us from using SSL session resumption because they're aware of some FTPS servers that will disconnect as soon as it's used. So not only are you breaking a bunch of existing FTP clients by adding arbitrary requirements on top of the established spec, but you're forcing us to then break existing FTP servers in response. Thanks. Maybe we'll just suggest to our users that they switch to a less abusive server instead.

Chris Evans said...

@Craig: Thanks for your comment and I understand where you are coming from.

vsftpd is configurable; please feel free to use the option "require_ssl_reuse=NO".

One of vsftpd's appeals is that it is arguably the most secure FTP server available. So, I'm sure you understand why the default is set the way it is. See http://scarybeastsecurity.blogspot.com/2008/02/your-ftp-ssl-solution-is-really-secure.html

Anonymous said...

HELP!!!
I am trying to compile this on a Solaris 10u6 box. Keep hitting the same snag >>>

./vsf_findlibs.sh`
Undefined first referenced
symbol in file
EVP_sha256 ssl.o
ld: fatal: Symbol referencing errors. No output written to vsftpd
collect2: ld returned 1 exit status
*** Error code 1
make: Fatal error: Command failed for target `vsftpd'

We have installed openssl as a package (from sunfreeware) and compiled it locally, neither way has helped.

Please, someone... call me names, tell me I'm stupid, anything as long as there is a working answer...
Thanks

Unknown said...

Further info:
After it crashes during the 'make' and running the ./vsf_findlibs.sh seems to find them okay:
# ./vsf_findlibs.sh
-lpam
-ldl
-lsocket
-lnsl
-lresolv
-lposix4
-lposix4
-lsendfile
-lssl -lcrypto

I apologize, I am not a programmer so if I am missing something I appreciate any help.
Thanks,

Unknown said...

Please HelpI have been able to compile on AIX and our Linux machines already come with vsftpd.
Please someone, what is vsftpd looking for on Solaris that is causing the make to fail? How is the environment set up on those of you who have been able to successfully compile on Solaris?

Anonymous said...

user_config_dir now requires a per-user config file to exist, login aborts with "500: OOPS: cannot open config file" otherwise.

Was this intentional or is it an unexpected side-effect when removing the security check in handle_per_user_config()?

---

I see the same issue. Is there a workaround for this yet? This is sort of a big problem for me...

Unknown said...

I was never able to overcome the 'make' errors. However, found http://www.blastwave.org/packages.php/vsftpd to have ssl compiled in, so all is well.
Would have been nice if someone could have found a solution. I'm sure that there are others that have had the same issue.

Anonymous said...

Hello,
@patrick.swartz, maybe you have the wrong OpenSSL version, must upgrade to 0.9.8 to successfully compile vsftpd, what's OpenSSL version ?

Unknown said...

@openssl question - Our Solaris boxes have OpenSSL 0.9.7d 17, which might have been the problem. Am going to stick to the package from blastwave as we have numerous servers to deploy to and packages are easier.
Speaking of packages ---
I was able to successfully build on our AIX 5.3 test server, however, I am not allowed to install all of the compiling parts on our production systems. So....
Can someone help create a RPM or at maybe a good rpm spec file so I can run rpm build?
Thank everyone for your help,
Patrick

Brian said...
This comment has been removed by the author.
Unknown said...

I use vsftpd 2.1.0 and filezilla 3.2.4.1 and I ALWAYS get:
522 SSL connection failed; session reuse required

filezilla support you said??

Chris Evans said...

@A. Mustermann: that's strange. I don't get that with LFTP 3.7.8 (with GnuTLS 2.4.2) on my Ubuntu 9.04 machine. vsftpd linked to openssl-0.9.8g-15ubuntu. I'd love to know what is causing the difference. In the meantime, check out my April 7 post about require_ssl_reuse.

@Gelegrodan: same sort of comment; works fine with FileZilla 3.2.2.1 (GnuTLS 2.4.2-6) on my Ubuntu 9.04. You can again fix this by checking my April 7 post about require_ssl_reuse.

Chris Evans said...

@Hans: looking into this. What OS are you running vsftpd on? It could be related to another report I've had of the data_connection_timeout firing when it should not.

Chris Evans said...

@Hans: Ah, just reproduced it. I'll get v2.1.1 out with a fix ASAP, hopefully tomorrow otherwise after the long weekend.

Chris Evans said...

@Anonymous: the regression relating to per-user config file loading will be fixed in v2.1.1. Absence of a given per-user file will be silently ignored once more.

tfoldi said...

Thanks, reuse=NO option saved my life

t-shirt blanc said...

Thanks a lot for this new release vsftpd-2.1.0 . Cheers

Lox said...

Do you plan to solve that bug where fireftp cannot connect to vsftp using tls/ssl?

Shane said...

We would like to use the require_ssl_reuse option in the user config file, but it doesn't seem to take unless we put in the main config. Can you confirm that's how its working?

nickthecook said...

Hi Chris,

I've been using vsftpd for a few years as my go-to FTP server on Ubuntu. It's great; thanks!

However, I seem to have a problem now with version 2.2.2-3ubuntu6.3, where it is not honouring the require_ssl_reuse=NO setting in the main vsftpd.conf.

Here is the message from the server:

522 SSL connection failed; session reuse required: see require_ssl_reuse option in vsftpd.conf man page

I'm using the FTP plugin for Total Command for Android.

Here is the line from my config:

require_ssl_reuse=NO

Any idea why this setting would not take?

Bernd Eckenfels said...

I am discussing (hopefully) the relationship of require_ssl_reuse and Java FTP clients here:

http://mail.openjdk.java.net/pipermail/security-dev/2016-December/015252.html