Syncplify Server! is *NOT* vulnerable to CVE-2024-6387

OpenSSH, a widely used secure shell-protocol handling software, has recently disclosed a critical vulnerability (CVE-2024-6387) affecting its server component. This flaw could potentially allow unauthenticated remote code execution with root privileges on glibc-based Linux systems. The vulnerability, present in OpenSSH versions 8.5p1 through 9.7p1, is a signal handler race condition that affects the default configuration of sshd.

Qualys researchers have identified over 14 million potentially vulnerable OpenSSH server instances exposed to the internet[1]. While exploitation requires continuous connections for 6-8 hours under lab conditions, the potential impact is severe, allowing full system compromise and takeover.

It’s important to note that Syncplify Server! is not affected by this vulnerability. Unlike many other SSH servers, Syncplify Server! is not based on OpenSSH in any way. This independent implementation ensures that Syncplify Server! users are protected from vulnerabilities specific to OpenSSH, including CVE-2024-6387.

For those using OpenSSH, it’s crucial to apply the latest patches promptly. Additionally, limiting SSH access through network-based controls and enforcing network segmentation can help mitigate potential risks.


Syncplify Server! v6.2.35 released

Importance of this update: [HIGH]
What’s changed?
  • Updated the back-end SyngoDB database server to v4.11.2, which fixes a session persistence issue
  • Fixed a glitch in the Admin UI which prevented some settings from being correctly saved into the back-end database
  • Improved validators, so that certain “bad configurations” (leading to potential vulnerabilities) will no longer be accepted by the software

IMPORTANT NOTE: those who are running the “worker” system service under a different account (not System or LocalSystem) will need to re-configure the service to run under such account after upgrading from any version number <= 6.1.12)

Upgrading from v6.x.y is a simple and fairly automatic process: simply download the latest version from the official download page, and install it over the existing version, all of your settings and license will be kept.

If, instead, you’re upgrading from an older (v4/v5) version, you find the upgrade instructions in our knowledge base.

Thank you all for trusting our software with your secure file transfers!


Syncplify Server! v6.2.34 released

Importance of this update: [NORMAL]
What’s changed?
  • Updated the compiler and the standard library, which comes with the usual stdlib bug-fixes our code inherits as well
  • Improved the stability and speed of ASCII file transfers over the FTP(E/S) protocol family

IMPORTANT NOTE: those who are running the “worker” system service under a different account (not System or LocalSystem) will need to re-configure the service to run under such account after upgrading from any version number <= 6.1.12)

Upgrading from v6.x.y is a simple and fairly automatic process: simply download the latest version from the official download page, and install it over the existing version, all of your settings and license will be kept.

If, instead, you’re upgrading from an older (v4/v5) version, you find the upgrade instructions in our knowledge base.

Thank you all for trusting our software with your secure file transfers!


Syncplify Server! v6.2.33 released

Importance of this update: [NORMAL]
What’s changed?
  • Added the ability to remove links to Help and Knowledge Base from the user-menu of the WebClient! UI
  • Added a dedicated allow-list to control access to WebClient!’s /metrics (Prometheus) endpoint
  • Added configuration settings to fine-tune the allowed Host Key and PKI-Auth Key algorithms

IMPORTANT NOTE: those who are running the “worker” system service under a different account (not System or LocalSystem) will need to re-configure the service to run under such account after upgrading from any version number <= 6.1.12)

Upgrading from v6.x.y is a simple and fairly automatic process: simply download the latest version from the official download page, and install it over the existing version, all of your settings and license will be kept.

If, instead, you’re upgrading from an older (v4/v5) version, you find the upgrade instructions in our knowledge base.

Thank you all for trusting our software with your secure file transfers!


Syncplify Server! v6.2.32 released

Importance of this update: [HOT-FIX]
What’s changed?
  • Fixed the gzip log rotator, it now correctly gzips log files upon rotation to save space, and doesn’t leave zombie files on disk
  • Slightly improved the logging of users’ PKI authentication phases

IMPORTANT NOTE: those who are running the “worker” system service under a different account (not System or LocalSystem) will need to re-configure the service to run under such account after upgrading from any version number <= 6.1.12)

Upgrading from v6.x.y is a simple and fairly automatic process: simply download the latest version from the official download page, and install it over the existing version, all of your settings and license will be kept.

If, instead, you’re upgrading from an older (v4/v5) version, you find the upgrade instructions in our knowledge base.

Thank you all for trusting our software with your secure file transfers!


Syncplify Server! v6.2.31 released


Importance of this update: [NORMAL]
What’s changed?
  • Upgraded the Go compiler, standard library and toolchain to v1.22.2
  • Fixed a bug in the SuperAdmin UI that occasionally would mistake two distinct bindings for conflicting ones
  • Reduced the amount of CPU necessary for password authentication (this applies only to new users, or when existing users change/reset their password)

IMPORTANT NOTE: those who are running the “worker” system service under a different account (not System or LocalSystem) will need to re-configure the service to run under such account after upgrading from any version number <= 6.1.12)

Upgrading from v6.x.y is a simple and fairly automatic process: simply download the latest version from the official download page, and install it over the existing version, all of your settings and license will be kept.

If, instead, you’re upgrading from an older (v4/v5) version, you find the upgrade instructions in our knowledge base.

Thank you all for trusting our software with your secure file transfers!


Syncplify Server! Users: Rest Easy, You’re Safe from the XZ Vulnerability

Heads up, admins! A recently discovered vulnerability in the XZ library has system administrators scrambling to patch their SFTP servers. This vulnerability could grant unauthorized access to affected Linux systems – not a fun situation.

But here’s some good news for Syncplify Server! users: you can breathe easy. Syncplify Server! does not utilize the XZ library, meaning your SFTP (and SSH2) server is completely unaffected by this specific exploit.

At Syncplify, security is paramount. We understand the critical role secure file transfer plays in your organization, and we take every precaution to ensure your data remains protected. This isn’t the first time Syncplify has proven its commitment to security:

  • Our software remained unscathed by the Heartbleed bug in 2014.
  • The Terrapin exploit discovered in 2023 posed no threat to Syncplify users.
  • And now, you can add the XZ library vulnerability to the list of non-issues for Syncplify Server! users.

This focus on security is what makes Syncplify the trusted choice for system administrators worldwide.

Looking for More Info?

For a deeper dive into Syncplify’s security features, check out our documentation: https://www.syncplify.com.

If you have any questions, don’t hesitate to reach out to our team. They’re happy to help!


Syncplify Server! v6.2.30 released

Importance of this update: [WORKAROUND]
What’s changed?
  • Implemented a work-around to gracefully handle buggy SFTP clients that attempt multi-phase authentication in the wrong order (not the order explicitly mandated by the SSH2 protocol standard); most of these situations will now be handled internally by Syncplify Server! while maintaining session consistency at the same time

IMPORTANT NOTE: those who are running the “worker” system service under a different account (not System or LocalSystem) will need to re-configure the service to run under such account after upgrading from any version number <= 6.1.12)

Upgrading from v6.x.y is a simple and fairly automatic process: simply download the latest version from the official download page, and install it over the existing version, all of your settings and license will be kept.

If, instead, you’re upgrading from an older (v4/v5) version, you find the upgrade instructions in our knowledge base.

Thank you all for trusting our software with your secure file transfers!


Syncplify Server! v6.2.29 released

Importance of this update: [MINOR]
What’s changed?
  • Fixed a small bug in DNS record resolution that only affected the Windows version of our software, and only when the operating system’s DNS configuration was wrong in the first place

IMPORTANT NOTE: those who are running the “worker” system service under a different account (not System or LocalSystem) will need to re-configure the service to run under such account after upgrading from any version number <= 6.1.12)

Upgrading from v6.x.y is a simple and fairly automatic process: simply download the latest version from the official download page, and install it over the existing version, all of your settings and license will be kept.

If, instead, you’re upgrading from an older (v4/v5) version, you find the upgrade instructions in our knowledge base.

Thank you all for trusting our software with your secure file transfers!


Syncplify Server! v6.2.28 released

Importance of this update: [OPTIONAL]
What’s changed?
  • Restored support for PKI authentication (SSH2/SCP/SFTP) using insecure RSA keys (SHA1 signature, insecure moduli, …), while secure RSA keys have never been dropped. We understand that transitioning to secure keys can be a challenge for some users. While we’ve provided resources and recommendations for dropping RSA keys for PKI authentication and switching to more secure keys (ECDSA, Ed25519, …), we recognize that some users may require more time, hence the choice to re-enable PKI auth support for these insecure keys. This does not make our server software less secure, it simply means it may allow certain insecure algorithms, but security-conscious users will simply configure our server software not to use them, thus keeping it completely safe and secure

IMPORTANT NOTE: those who are running the “worker” system service under a different account (not System or LocalSystem) will need to re-configure the service to run under such account after upgrading from any version number <= 6.1.12)

Upgrading from v6.x.y is a simple and fairly automatic process: simply download the latest version from the official download page, and install it over the existing version, all of your settings and license will be kept.

If, instead, you’re upgrading from an older (v4/v5) version, you find the upgrade instructions in our knowledge base.

Thank you all for trusting our software with your secure file transfers!