Syncplify Server! is also *NOT* vulnerable to CVE-2024-6409

Following up to our previous post in which we informed our user-base that Syncplify Server! is not affected by CVE-2028-6387, today we have the pleasure to share with you that Syncplify Server! is also completely unaffected by the newly discovered CVE-2024-6409.

CVE-2024-6409 is a signal handler race condition vulnerability in the OpenSSH server (sshd) that occurs when a client fails to authenticate within the LoginGraceTime, potentially leading to information disclosure, denial of service, or unauthorized access.

Syncplify Server!, by virtue of not being based on OpenSSH, does not have such vulnerability.


Syncplify Server! is *NOT* vulnerable to CVE-2024-6387

OpenSSH, a widely used secure shell-protocol handling software, has recently disclosed a critical vulnerability (CVE-2024-6387) affecting its server component. This flaw could potentially allow unauthenticated remote code execution with root privileges on glibc-based Linux systems. The vulnerability, present in OpenSSH versions 8.5p1 through 9.7p1, is a signal handler race condition that affects the default configuration of sshd.

Qualys researchers have identified over 14 million potentially vulnerable OpenSSH server instances exposed to the internet[1]. While exploitation requires continuous connections for 6-8 hours under lab conditions, the potential impact is severe, allowing full system compromise and takeover.

It’s important to note that Syncplify Server! is not affected by this vulnerability. Unlike many other SSH servers, Syncplify Server! is not based on OpenSSH in any way. This independent implementation ensures that Syncplify Server! users are protected from vulnerabilities specific to OpenSSH, including CVE-2024-6387.

For those using OpenSSH, it’s crucial to apply the latest patches promptly. Additionally, limiting SSH access through network-based controls and enforcing network segmentation can help mitigate potential risks.


Syncplify Server! Users: Rest Easy, You’re Safe from the XZ Vulnerability

Heads up, admins! A recently discovered vulnerability in the XZ library has system administrators scrambling to patch their SFTP servers. This vulnerability could grant unauthorized access to affected Linux systems – not a fun situation.

But here’s some good news for Syncplify Server! users: you can breathe easy. Syncplify Server! does not utilize the XZ library, meaning your SFTP (and SSH2) server is completely unaffected by this specific exploit.

At Syncplify, security is paramount. We understand the critical role secure file transfer plays in your organization, and we take every precaution to ensure your data remains protected. This isn’t the first time Syncplify has proven its commitment to security:

  • Our software remained unscathed by the Heartbleed bug in 2014.
  • The Terrapin exploit discovered in 2023 posed no threat to Syncplify users.
  • And now, you can add the XZ library vulnerability to the list of non-issues for Syncplify Server! users.

This focus on security is what makes Syncplify the trusted choice for system administrators worldwide.

Looking for More Info?

For a deeper dive into Syncplify’s security features, check out our documentation: https://www.syncplify.com.

If you have any questions, don’t hesitate to reach out to our team. They’re happy to help!


Upgrade to v6.2.21 now (and be safe from the Terrapin Attack)

Every once in a while something happens that shakes up an entire industry. This is one such time.

The Terrapin Attack (CVE-2023-48795) affected practically every SSH server from every vendor on the planet. And though the bug wasn’t in our own code, we inherited it from Go’s ssh package, so our server software ended up being affected as well.

Kudos to the Go developers who identified and fixed the issue before the CVE was even made public! We will be forever grateful to them, as their timeliness allowed us to release v6.2.21 before this problem affected any of our customers.

We did our part, now it’s all up to you: to make sure your Syncplify Server! is protected from the Terrapin Attack, please, upgrade to v6.2.21+ with the utmost level of urgency. Thank you!


V6 is safer than ever

We just ran the full suite of updated metasploit tests against the latest Syncplify Server! V6 alpha, and we’re happy to announce that our new version withstood all attacks without even breaking a sweat.

The new and improved ProtectorTM was able to identify all known and unknown attacks, add all attacking IP addresses to the block-list, without ever using more than 0.28% of the VM’s combined vCPU core capacity.