Connect:Enterprise UNIX 2.5.00 Cumulative FTP Maintenance Built with binaries from CEU2500 iFix 9+ Build 207 * * * DO NOT APPLY THIS MAINTENANCE TO A 2.4.04 SYSTEM. * * * (Must be installed on CEU 2.5.00 only) NOTICE: NOTICE: NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE: The CEU product will reach End of Support on April 30, 2016. NOTICE: See http://www-01.ibm.com/software/support/lifecycleapp/PLCDetail.wss?from=spf&synkey=E057825H85398O21 NOTICE: Make plans to upgrade to IBM Sterling File Gateway or other product NOTICE: before that date. NOTICE: Contents: I. HIPER fixes / Fixes requiring Action by iFix II. Summary of Fixes by iFix/APAR (Latest iFix / FixPack first) III. Installation Instructions Iv. Detailed Description of Fixes =============================================================================== I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action =============================================================================== In iFix 9+ (April 2016): HIPER - Turn off weak ciphers unless ALLOW_WEAKFTP specified - see IT14843 for details In iFix 8 (July 2015): HIPER - Turn off SSLv3 unless ALLOW_SSLv3 specified - Turn off RC4 ciphers unless ALLOW_RC4 specified - see "Upgrade to OpenSSL 1.0.2d" for details =============================================================================== II. Summary of Fixes by iFix/APAR (Latest iFix / FixPack first) =============================================================================== This maintenance package contains the following fixes for SSHFTP processing since Connect:Enterprise 2.5.00 was released: FTP Fixes V2.5.00 Patch3 (2.5.0.3) iFix 9+ Build 207 (Apr 2016): RTC499414/IT14843 - Turn off weak ciphers unless ALLOW_WEAKFTP specified V2.5.00 Patch3 (2.5.0.3) iFix 9 Build 204 (Oct 2015): Certified the FTP daemons will work with SHA256 private keys and certificates. V2.5.00 Patch3 (2.5.0.3) iFix 8 Build 201 (Jul 2015): Upgrade to OpenSSL 1.0.2d for security patches V2.5.00 Patch3 (2.5.0.3) iFix 7 Build 86 (Feb 2015): IT06953 PSIRT 2635 (Upgrade to OpenSSL 0.9.8ze) V2.5.00 Patch3 (2.5.0.3) iFix 6 Build 84 (Dec 2014): IT06192 Fixing OpenSSL 0.9.8zc on Linux V2.5.00 Patch3 (2.5.0.3) iFix 5 Build 83 (Nov 2014): PSIRT 2290 POODLE Ability to turn off SSLv3 if -Dtlsonly=true set IT02959 - (FTP/SSH) Remote FTP/SSL PUT failed V2.5.00 Patch3 (2.5.0.3) iFix 4 Build 74 (Jun 2014): PSIRT 1790 - (CORE) OpenSSL upgrade to 0.9.8za level V2.5.00 Patch3 (2.5.0.3) iFix 3 Build 72 (Feb 2014): IC99126 - (FTP/SSH) Connect:Enterprise protocol daemons just drop off IC99071 - (FTP/SSH) allowing remote rename regardless of a flag V2.5.00 Patch3 (2.5.0.3) iFix 2 Build 70 (Jan 2014): IC98645 - (FTP) Autoconnect sends PROT P/PBSZ commands to a server before security exchange IC98647 - (FTP) Autoconnect fails if port 21 in /etc/services commented out V2.5.00 Patch3 (2.5.0.3) iFix 1 Build 69 (Sep 2013): IC92328 - (FTP) Autoconnect fails on SSL handshake with trace level set to 9 RT366869 - (CORE) Upgrade OpenSSL-0.9.8y QC20139 - (FTP) Change default behavior on close_notify QC20483 - (FTP) subcommand 'user' did not work QC20851 - (FTP) FTP_PUT_OPTIONS ID value is not honored during upload RTC320247 - (FTP) PASV command with incorrect arguments entered via quote was not parsed correctly IC85609 - (FTP) FTP child process spawn into a loop awaiting at least 4 bytes on the cntrl channel Note: Binaries display the build and release information at startup and in response to a usage display. Example: % cmuftpd -? IBM Sterling Connect:Enterprise for UNIX V2.5.00 Patch3 (2.5.0.3) iFix 9+ Build 207 Secure FTP Server * etc. * =============================================================================== III. Installation Instructions =============================================================================== Installation Instructions: * * * DO NOT APPLY THIS MAINTENANCE TO A 2.4.04 SYSTEM. * * * If you are running on a release prior to 2.5.00, YOU MUST FIRST UPGRADE TO 2.5.00 BEFORE APPLYING THIS MAINTENANCE. If you wish to upgrade directly to CEU 2.5.00 with this maintenance applied, please contact Customer Support for a full install copy. 1) Download the compressed tar file appropriate for your platform and Connect:Enterprise version to your $CMUHOME directory 2) Uncompress the tar file image: uncompress CEU2500.IT14843_FTP..tar.Z Note: is sun, hpux, aix, linux 3) Backup your $CMUHOME//lib and $CMUHOME//bin directories 4) Shut down Connect:Enterprise UNIX 5) If you run your ftp daemons as root in order to listen on port 21 or 22, you will need to reset the ownership on your *ftp* binaries in your $CMUHOME//bin directory to your admin id prior to installation. 6) Unload the new binaries tar -xvf CEU2404.IT08262.FTP..tar 7) Optional Actions: o If you run your ftp or sshftp daemons as root in order to listen on port 21 or 22, you will need to reset the ownership on your *ftp*, *ssh* and *sftp* binaries in your $CMUHOME//bin directory to root. o Check the directories in your $LIBPATH (typically /usr/lib, /usr/local/lib) to see if you copied module libcmusips.so (libcmusips.sl on HPUX) there during a previous install. This is often done when running the ftp daemons as root. If so, replace the copy with the new one from $CMUHOME//lib/libcmusip.so (or .sl). o If you run any of your protocol daemons in the DMZ, with the rest of the product in the trusted zone behind a firewall, copy the affected protocol binaries and lib/libcmusips.so (or .sl) to your machine in the DMZ. 8) Start Connect:Enterprise UNIX Contents of tar file ( is the architecture, e.g. hpux or linux): CEU2500.IT14843_FTP.README.txt (This file) /bin/cmuftpd /bin/scp /bin/sftp-server /bin/sftp /bin/ssh /bin/sshd =============================================================================== III. Detailed Description of Fixes (in Defect ascending order) =============================================================================== QC 20139 (FTP) Change default behavior on close_notify After upgrade to CEU2500, SSL sessions with some third party client and server software hang during close_notify at the end of a data operation. Prior versions of CEU work. Each data socket is secured with SSL/TLS, and at the end of the transfer, CEU begins closing the SSL data socket and sends a close_notify to the other side. We expect to receive one back, but do not get one until a 5-minute timeout has expired. Resolution: The problem is actually a bug on the remote client or server software. It should respond correctly to our close_notify at the end of the data operation. However, we made 2 updates: 1) Updated ssl_close logic to properly send and check for close_notify from peer. Included debug messages at level 10 to determine if the remote is playing by the rules. 2) If "export NO_WAIT_FOR_PEER_SSL_SHUTDOWN=1" is included in ceustartup prior to the cmuftpd daemon startup, CEU will skip waiting for the remote to send the close_notify and get around the hang condition. This is considered a workaround until the remote software can be fixed to properly respond to the close_notify. Note: Legacy Env variable WAIT_FOR_PEER_SSL_SHUTDOWN is still honored. QC20483 (FTP) FTP command (user) fails logon after first successful logon when using the same session - Error lostconn When a user logs into FTP and then attempts to login as a different user, they get "Error lostconn" and the session is lost. An earlier fix to use the same mailbox socket for all operations was erroneously closing socket 0 when the USER command was issued. Resolution: Updated the mailbox close logic to bypass the socket close when the socket number is zero, since that is always STDIN on the FTP command channel. QC20851 (FTP) FTP_PUT_OPTIONS ID value is not honored during upload FTP_PUT_OPTIONS option in RSD file is supposed to redirect the upload file into mailbox, specified by ID keyword of FTP_PUT_OPTIONS. But the parser of the FTP_PUT_OPTIONS line processed the line with 2 id words: from FTP_PUT_OPTIONS and main mailbox id. And the last id in the line was used as mailbox ID. Resolution: The parsing order of an original ID and redirected ID was reversed and now if the redirected ID is specified, the upload is directed into this mailbox ID. RTC320247 (FTP) PASV command with an argument caused FTP replies to get out of sync A Customer made network changes and began to have FTP session failures. One of the new appliances on the network was translating a "EPSV ALL" (extended passive mode) command to "PASV ALL". The CEU FTP server did not expect arguments with the PASV command, but instead of sending one 500 error reply, it sent two, causing all subsequent replies to be out of sync on the client. Several other commands, which do not allow arguments, also cause the duplicate error replies: ABOR, NOOP, PWD, QUIT, REST, SYST, XPWD. Resolution: Updated the command parser to ignore any arguments that are included on the PASV command and process the command as if it had no arguments. Made the same change to the parser for the other commands above. RTC313659(SSH) Autoconnect not retrieving remote file with apostrophe CEUnix does not provide logic to deal with files with apostrophe inside. If apostrophe (single quote) happens to be in a file name (which is legitimate), autoconnect fails to deal with such file. Resolution: Logic of apostrophe processing was added to autoconnect component. IC85609 (FTP) FTP child process spawn into a loop awaiting at least 4 bytes on the control channel When an ftp client sends wrong request ( 3 letters of action code instead of 4), CEUnix rejects it, but did not disconnects. If the client keeps sending invalid requests, it causes a loop, imitating denial of service attack. Resolution: After 100 invalid requests, the session gets disconnected, the reason is logged, and trace shows the reason of disconnect. CVE-2012-2333 . Invalid TLS/DTLS record attack Security advisory. Resolution - Upgrade to OpenSSL 0.9.8.x IC92328 - (FTP) Autoconnect fails on SSL handshake with trace level set to 9 Upgrading to OpenSSL 0.9.8y caused SSL handshake to fail, because of a bug in OpenSSL certificate printing. Resolution: The code was changed to circumvent OpenSSL bug IC98645 - (FTP) Autoconnect sends PROT P/PBSZ commands to a server before security exchange Autoconnect sends PROT P/ PBSZ commands to a server before security exchange to accommodate Filezilla servers, but it it breaks other server Resolution: Environmental variable FTP_PBSZ_BEFORE_SECURITY_XCHANGE has been implemented. If it is set - ftp sends PROT B/PBSZ before security exchange, if not - then they are sent after security has been established IC98647 - (FTP) Autoconnect fails if port 21 in /etc/services is commented out Resolution: Bypass checking whether ftp service is running, because it is redundant IC99071 - (FTP/SSH) allowing remote rename regardless of a flag. During a remote connect, the user attempts to rename a file that was uploaded to the repository. The rename fails because it was unable to locate the batch. Resolution: Now allow batches to be renamed by SSHFTP even if they don't have the R flag set IC99126 - (FTP/SSH) Connect:Enterprise protocol daemons just drop off, and no errors or commands listed. Customer getting core dumps in FTP and SSHFTP child processes when running traces and there are problems at the end of session. Various debug messages were not coded correctly, causing the segmentation faults. Also, during reconnect processing with master daemon, the ACD slave socket was not closed completely, and caused the next remote connect session to fail. Resolution: Corrected debug statements to include all required parms to avoid core dumps Cleaned up lostpeer processing in the FTP and SSHFTP child processes when connections drop Ensure ACD slave socket is closed completely during reconnect processing. PSIRT 1790 - (CORE) Security advisory. Man-in-the-middle vulnerability fix Resolution: Upgrade OpenSSL to 0.9.8za level. IT02959 - (FTP/SSH) Remote FTP/SSL on Linux failing to execute PUT command. Resolution: Remote FTP/SSL on Linux was fixed IT02959 - Remote FTP/SSL PUT fails on Linux (SSL/TLS error) Resolution: Remote FTP/SSL on Linux was fixed IT06192 Fixing OpenSSL 0.9.8zc on Linux. CEU OpenSSL 0.9.8zc was misconfigured on Linux platform Resolution: OpenSSL libraries on Linux were fixed. PSIRT 2635 (Upgrade to OpenSSL 0.9.8ze) Resolution: OpenSSL libraries were upgraded to latest level 0.9.8ze. Upgrade to OpenSSL 1.0.2d Resolution: OpenSSL libraries were upgraded to latest level 1.0.2d. Also SSLv3protocol has been disabled by default. If user wants this protocol to be enabled, they need to specify environment variable ALLOW_SSLV3=1. RC4 ciphers are also disabled by default and if user wants to use them, they have to specify environment variable ALLOW_RC4=1 RTC499414/IT14843 - Turn off weak ciphers unless ALLOW_WEAKFTP specified The SSLv2 protocol may be exposed for FTP sessions if certain export cipher suites are enabled, even though the TLSv1 protocol has been specified. This is expedited PSIRT 4895, DROWN - Cross-protocol attack on TLS using SSLv2 - CVE-2016-0800. Resolution: Now turn off all cipher suites except the ones labeled STRONG unless "export ALLOW_WEAKFTP=1" is coded in ceustartup prior to the FTP daemon startup. Without the ALLOW_WEAKFTP coded, only the following cipher suites will be allowed: RSA_WITH_AES_256_CBC_SHA RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_AES_128_CBC_SHA Note: If your site runs with the SPD parameter CIPHER_STRENGTH = STRONG, you are not vulnerable to the DROWN advisory, and do not need to apply the fix.