Security Patch for CVE-2023-45685 Through CVE-2023-45690

An independent cyber security team (Rapid7) has identified several security issues mainly effecting the Linux versions of Titan SFTP and Titan MFT Servers. The versions effected are version 2.0.17 and earlier of Titan SFTP and Titan MFT (formerly Cornerstone MFT) Servers. All of the issues documented below have been fixed in version 2.0.18 of Titan SFTP and Titan MFT servers which we recommend that our customers upgrade to.

Windows and Linux platform issues:

1. CVE-2023-45685 - "ZipSlip Execution": If the Administrator configured an event to unzip a user uploaded zip file that contained a relative path which includes ..\..\.. etc this could result in a file being placed outside the desired location on the system. With version 2.0.18 of Titan and later, zip files with relative paths will not unzip at all and an error will be logged. It would also be possible to avoid this issue by not configuring any events to unzip files.

2. CVE-2023-45687 - "Sessation Fixation": We consider this a minor issue and still require an Admin username/password to create a session however we have made changes in 2.0.18 so that authentication via an Authorization header will not return a session to the client.

3. CVE-2023-45689 - "Path Traversal In Admin Interface": If an Administrator has admin credentials to the Titan Server they can construct a request that would allow for path traversal and download/deletion of files. Since this requires Administrator credentials, we consider this a minor threat.

Linux only issues:

1. CVE-2023-45686, CVE-2023-45688 - "WebDAV and FTP Path Traversal": This is a Linux only issue in which an authenticated user could use path traversal to access files outside the users home directory. This has been fixed in 2.0.18 so that any path outside the users home directory in Linux is not allowed.

2. CVE-2023-45690 - "Information Leak": After installation the various data folders under /var/southrivertech/srxserver, permission was set to world read which if somebody had shell access to the system could read log files and database systems. Since this requires shell access we consider this a minor issue, however now on version 2.0.18 and later, the data folders will not have world read permission enabled.

Additional Security Steps:

As mentioned previously, upgrading to version 2.0.18 of Titan SFTP or Titan MFT will provide fixes for the issues mentioned above but there are some other ways to remedy the issue, specifically by configuring the Titan SFTP or Titan MFT service to not run under the Local System account but to instead use a specific Windows or Linux user account that has limited privileges. For example, you could create a Windows/Linux user account called "TitanAdmin" and only give this user account permissions to the data and log directory for the server. Then configure the service to run as the "TitanAdmin" user account and this would prevent any possibility of the server using path traversal to other locations. You would also need to make sure that the "TitanAdmin" user account has access to any UNC paths in use or SQL server instances if you are not using SQLite.