Title: SurgeFTP Weak Password Encryption Vulnerability
Severity: HIGH
Description:
SurgeFTP is an ftp server for Windows and Unix platforms offered by NetWin.
SurgeFTP uses weak password hashing that allows for fast brute force cracking of the administrator password. The problem is that a single fixed salting value is used. This narrows the possible hash values and causes some hashes to correspond to multiple passwords.
An attacker can perform an effective brute force attack by trying passwords in a list ordered by the number of other passwords that each associated hash corresponds to.
Attackers who can successfully brute force accounts may be able to further compromise the system with read/write access to the filesystem.
Affected Products:
- NetWin SurgeFTP 2.0.0 B
- NetWin SurgeFTP 2.0.0 a
- NetWin SurgeFTP 2.0.0 c
- NetWin SurgeFTP 2.0.0 d
- NetWin SurgeFTP 2.0.0 e
- NetWin SurgeFTP 2.0.0 f
References:
- NetWin Limited: NetWin Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
