FieldPoint Family

cancel
Showing results for 
Search instead for 
Did you mean: 

FTP bounce vulnerability

A customer of ours did a security check on a cFP-2220 from us and came back with a request for an update to fix the ftp server's vulnerability for bonce attacks (https://nvd.nist.gov/vuln/detail/CVE-1999-0017)...Is there any such security update available for the VxWorks-version running on the cFP-2220 that we could apply?

 

Preferably they would like to switch from ftp and http to ftps and https (they are worried about clickjacking etc). I guess that's not an option with the cFP-2220, they would need to change their hardware to one of the Linux RT-based controllers, right?

0 Kudos
Message 1 of 4
(5,200 Views)

Hi Mads.  I don't know whether there are updates to address that issue, but what version are you using?

 

Will the Access Control settings that are available address their concerns?  We have seen improvements in general reliability using the Access Control restrictions with devices connected to relatively open networks.

 

Matt

0 Kudos
Message 2 of 4
(5,172 Views)

Hi Mads,

 

I don't have a cFP-2220 with me, so I'm not certain if this will work with it. Everything looks possible in theory.

 

In general, industry has moved away from FTP because it is not secure. There are instructions on how to disable it on VxWorks: Disable Real-Time FTP Server. There is another file access method, WebDAV, that is available on VxWorks. More info on WebDAV and use instructions are here.

 

Andrew T.
"His job is to shed light, and not to master" - Robert Hunter
0 Kudos
Message 3 of 4
(5,162 Views)

Deactivated FTP (expected it to be a configuration, but ended up just renaming the ftpout-file...). Installed WebDAV and SSL, user account in place...But the reply on WebDAV is just a 405 Method not allowed.

0 Kudos
Message 4 of 4
(5,148 Views)