Archives: July 9, 2024

Syncplify Server! is also *NOT* vulnerable to CVE-2024-6409

Following up to our previous post in which we informed our user-base that Syncplify Server! is not affected by CVE-2028-6387, today we have the pleasure to share with you that Syncplify Server! is also completely unaffected by the newly discovered CVE-2024-6409.

CVE-2024-6409 is a signal handler race condition vulnerability in the OpenSSH server (sshd) that occurs when a client fails to authenticate within the LoginGraceTime, potentially leading to information disclosure, denial of service, or unauthorized access.

Syncplify Server!, by virtue of not being based on OpenSSH, does not have such vulnerability.


Syncplify Server! is *NOT* vulnerable to CVE-2024-6387

OpenSSH, a widely used secure shell-protocol handling software, has recently disclosed a critical vulnerability (CVE-2024-6387) affecting its server component. This flaw could potentially allow unauthenticated remote code execution with root privileges on glibc-based Linux systems. The vulnerability, present in OpenSSH versions 8.5p1 through 9.7p1, is a signal handler race condition that affects the default configuration of sshd.

Qualys researchers have identified over 14 million potentially vulnerable OpenSSH server instances exposed to the internet[1]. While exploitation requires continuous connections for 6-8 hours under lab conditions, the potential impact is severe, allowing full system compromise and takeover.

It’s important to note that Syncplify Server! is not affected by this vulnerability. Unlike many other SSH servers, Syncplify Server! is not based on OpenSSH in any way. This independent implementation ensures that Syncplify Server! users are protected from vulnerabilities specific to OpenSSH, including CVE-2024-6387.

For those using OpenSSH, it’s crucial to apply the latest patches promptly. Additionally, limiting SSH access through network-based controls and enforcing network segmentation can help mitigate potential risks.


Why PGP is an extremely bad choice for a file server’s at-rest encryption, and how to do it right

Pretty Good Privacy (PGP and all of its variants) is a well-known encryption program that provides cryptographic privacy and authentication for data communication. While PGP is excellent for securing emails and individual files, using it for at-rest file encryption on a file server is not advisable. This article explains why PGP is unsuitable for this purpose and why a streaming encryption method is a better alternative.

Read More


Syncplify Server! v6.2.35 released

Importance of this update: [HIGH]
What’s changed?
  • Updated the back-end SyngoDB database server to v4.11.2, which fixes a session persistence issue
  • Fixed a glitch in the Admin UI which prevented some settings from being correctly saved into the back-end database
  • Improved validators, so that certain “bad configurations” (leading to potential vulnerabilities) will no longer be accepted by the software

IMPORTANT NOTE: those who are running the “worker” system service under a different account (not System or LocalSystem) will need to re-configure the service to run under such account after upgrading from any version number <= 6.1.12)

Upgrading from v6.x.y is a simple and fairly automatic process: simply download the latest version from the official download page, and install it over the existing version, all of your settings and license will be kept.

If, instead, you’re upgrading from an older (v4/v5) version, you find the upgrade instructions in our knowledge base.

Thank you all for trusting our software with your secure file transfers!


Syncplify Server! v6.2.34 released

Importance of this update: [NORMAL]
What’s changed?
  • Updated the compiler and the standard library, which comes with the usual stdlib bug-fixes our code inherits as well
  • Improved the stability and speed of ASCII file transfers over the FTP(E/S) protocol family

IMPORTANT NOTE: those who are running the “worker” system service under a different account (not System or LocalSystem) will need to re-configure the service to run under such account after upgrading from any version number <= 6.1.12)

Upgrading from v6.x.y is a simple and fairly automatic process: simply download the latest version from the official download page, and install it over the existing version, all of your settings and license will be kept.

If, instead, you’re upgrading from an older (v4/v5) version, you find the upgrade instructions in our knowledge base.

Thank you all for trusting our software with your secure file transfers!


Syncplify Server! v6.2.33 released

Importance of this update: [NORMAL]
What’s changed?
  • Added the ability to remove links to Help and Knowledge Base from the user-menu of the WebClient! UI
  • Added a dedicated allow-list to control access to WebClient!’s /metrics (Prometheus) endpoint
  • Added configuration settings to fine-tune the allowed Host Key and PKI-Auth Key algorithms

IMPORTANT NOTE: those who are running the “worker” system service under a different account (not System or LocalSystem) will need to re-configure the service to run under such account after upgrading from any version number <= 6.1.12)

Upgrading from v6.x.y is a simple and fairly automatic process: simply download the latest version from the official download page, and install it over the existing version, all of your settings and license will be kept.

If, instead, you’re upgrading from an older (v4/v5) version, you find the upgrade instructions in our knowledge base.

Thank you all for trusting our software with your secure file transfers!


Syncplify Server! v6.2.32 released

Importance of this update: [HOT-FIX]
What’s changed?
  • Fixed the gzip log rotator, it now correctly gzips log files upon rotation to save space, and doesn’t leave zombie files on disk
  • Slightly improved the logging of users’ PKI authentication phases

IMPORTANT NOTE: those who are running the “worker” system service under a different account (not System or LocalSystem) will need to re-configure the service to run under such account after upgrading from any version number <= 6.1.12)

Upgrading from v6.x.y is a simple and fairly automatic process: simply download the latest version from the official download page, and install it over the existing version, all of your settings and license will be kept.

If, instead, you’re upgrading from an older (v4/v5) version, you find the upgrade instructions in our knowledge base.

Thank you all for trusting our software with your secure file transfers!


Syncplify Server! v6.2.31 released


Importance of this update: [NORMAL]
What’s changed?
  • Upgraded the Go compiler, standard library and toolchain to v1.22.2
  • Fixed a bug in the SuperAdmin UI that occasionally would mistake two distinct bindings for conflicting ones
  • Reduced the amount of CPU necessary for password authentication (this applies only to new users, or when existing users change/reset their password)

IMPORTANT NOTE: those who are running the “worker” system service under a different account (not System or LocalSystem) will need to re-configure the service to run under such account after upgrading from any version number <= 6.1.12)

Upgrading from v6.x.y is a simple and fairly automatic process: simply download the latest version from the official download page, and install it over the existing version, all of your settings and license will be kept.

If, instead, you’re upgrading from an older (v4/v5) version, you find the upgrade instructions in our knowledge base.

Thank you all for trusting our software with your secure file transfers!


Syncplify Server! Users: Rest Easy, You’re Safe from the XZ Vulnerability

Heads up, admins! A recently discovered vulnerability in the XZ library has system administrators scrambling to patch their SFTP servers. This vulnerability could grant unauthorized access to affected Linux systems – not a fun situation.

But here’s some good news for Syncplify Server! users: you can breathe easy. Syncplify Server! does not utilize the XZ library, meaning your SFTP (and SSH2) server is completely unaffected by this specific exploit.

At Syncplify, security is paramount. We understand the critical role secure file transfer plays in your organization, and we take every precaution to ensure your data remains protected. This isn’t the first time Syncplify has proven its commitment to security:

  • Our software remained unscathed by the Heartbleed bug in 2014.
  • The Terrapin exploit discovered in 2023 posed no threat to Syncplify users.
  • And now, you can add the XZ library vulnerability to the list of non-issues for Syncplify Server! users.

This focus on security is what makes Syncplify the trusted choice for system administrators worldwide.

Looking for More Info?

For a deeper dive into Syncplify’s security features, check out our documentation: https://www.syncplify.com.

If you have any questions, don’t hesitate to reach out to our team. They’re happy to help!


Syncplify Server! v6.2.30 released

Importance of this update: [WORKAROUND]
What’s changed?
  • Implemented a work-around to gracefully handle buggy SFTP clients that attempt multi-phase authentication in the wrong order (not the order explicitly mandated by the SSH2 protocol standard); most of these situations will now be handled internally by Syncplify Server! while maintaining session consistency at the same time

IMPORTANT NOTE: those who are running the “worker” system service under a different account (not System or LocalSystem) will need to re-configure the service to run under such account after upgrading from any version number <= 6.1.12)

Upgrading from v6.x.y is a simple and fairly automatic process: simply download the latest version from the official download page, and install it over the existing version, all of your settings and license will be kept.

If, instead, you’re upgrading from an older (v4/v5) version, you find the upgrade instructions in our knowledge base.

Thank you all for trusting our software with your secure file transfers!