1 Reply Latest reply on Feb 14, 2019 11:16 AM by jxchappell

    SFTP Vulnerabilities

    o3burn

      Got this notice this weekend.  Anyone have comments or suggestions?

       

      SolarWinds SFTP Insecure Password Storage

      In SolarWinds SFTP/SCP Server through 2018-09-10, the configuration file is
      world readable and writable, and stores user passwords in an insecure
      manner, allowing an attacker to determine passwords for potentially
      privileged accounts. This also grants the attacker an ability to backdoor
      the server.

      Vulnerability affects versions prior to November 2018 release.

      CVE-2018-16792 - SolarWinds SFTP XXE Vulnerability

      SolarWinds SFTP/SCP server through 2018-09-10 is vulnerable to XXE via a
      world readable and writable configuration file that allows an attacker to
      exfiltrate data.

      Vulnerability affects versions prior to November 2018 release.