Green End SFTP Server Security Advisory #1
Vulnerabilities
Two vulnerabilities exist in the Green End SFTP
server in all releases prior to 0.2.2:
- A client can send a sequence of SFTP commands that cause
free() to be invoked on the same pointer more than once (CWE-415).
- A client can send a sequence of SFTP commands that cause a null
pointer to be dereferenced (CWE-476).
Impact
The impact of the first issue depends on how the server is deployed.
- If the SFTP server is only used by ordinary SSH login users then in
practice there is no impact, since those users can execute arbitrary
commands anyway.
- However if the SFTP server is deployed in a configuration where there is
reduced trust in the clients, for instance if they are not login users, then
the first issue could (at worst, and depending on system-level mitigations)
lead to privilege escalation.
The impact of the second issue is believed to only be denial of service.
It is included in this advisory as a precaution.
Remediation
Both issues are fixed in release 0.2.2 of the server, available from http://www.greenend.org.uk/rjk/sftpserver/.