n.runs-SA-2008.001 JSCAPE insecure SSH Host key verification

Vendor: Jscape, http://www.jscape.com/
Affected Products:  Jscape Secure FTP Applet http://www.jscape.com/sftpapplet/index.html
Vulnerability:  SSH Host key is not verified allowing man-in-the-middle attacks
Risk: Medium


Vendor communication:

2006/04/12   n.runs sends a Vulnerability Notice informing Jscape about the nature of the problem and the impact.
2006/04/13   Jscape acknowledges and ask for more details
2006/04/13   n.runs gives more details
2007/07/26   n.runs asks for feedback and if the problem has been patched
2007/07/26   Jscape replies "We do not have a release date yet forthis task"
2007/07/26   n.runs asks whether they can offer a estimate when the patch will be available
2007/07/26   Jscape answers again "We do not have a release date yet for this task"
2008/02/19   n.runs requests a statement to be used in the advisory as there seems to be no intention to patch and argues "you deem this problem as low yet it renders the *secure connection* insecure."
2008/02/20   Jscape promises to "continue to look into this issue and tify you when a patch is available". no
2008/02/25   n.runs notifies Jscape that an advisory will be released by the end of the week if they do not patch the flaw n.runs reported roughly 2 years ago. "Given the long time this has already been reported (12/2006), and the criticality of this issue, I would
expect a patch to be ready by the end of the week. If the patch is not available until the end of this week (29.02.2008) I'll proceed with the advisory"
2008/02/29   Jscape notifies n.runs that the flaw has been patched
2008/06/01   n.runs verifies the patch and confirms that man-in-the-middle is no longer possible if the user does  not accept the new key. n.runs however recommends that Jscape warns the users of the security implications of a new SSH Host key rather then simply displaying "New Host  key".

Overview:
The JSCAPE Secure FTP Applet suffers from a man-in-the-middle vulnerability.
JSCAPE software has been deployed in a wide array of industries including aerospace, banking, communications, education, insurance, finance, government and software. With customers in more than 50 countries worldwide the following is a small sample of companies who use JSCAPE products and services. Customers include Boeing, SUN, ISS, SAP - See http://www.jscape.com/clients.html for more details.

The JSCAPE Secure FTP Applet is a secure FTP client that runs within Java enabled web browsers. The software supports SFTP (FTP over SSH) and FTPS (FTP over SSL) for encrypted file transfer.

Description:
To prevent man-in-the-middle attacks it is important to check the authenticity of the destination server by verifying the host key of the server when establishing the SSH connection. With previous versions of the JSCAPE Secure FTP applet it was not possible to verify the authenticity of the destination server.

Impact
When using affected versions of the JSCAPE secure FTP applet, users are not able to identify man-in-the-middle attacks. The supposedly secure connection is no longer secure. An attacker is able to eavesdrop on the connection in order to extract username and password or take over the initiated session.

Solution:
Upgrade to version 4.9.0 or above

Credits:
Vulnerability found by Frank Dick and Thierry Zoller

Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact security@nruns.com for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages.

Copyright 2008 n.runs AG. All rights reserved. Terms of use apply.