0 votes
by (120 points)

We are using your SFTP library and we were wondering if your library is affected by the SLOTH vulnerability (CVE-2015-0777).

In more technical terms, does your library use the MD5 hashing algorithm when establishing SSL/TLS connections? If so, is there a way to disable this?

If it is affected, is there a patched version?

Applies to: Rebex FTP/SSL, Rebex SFTP

1 Answer

0 votes
by (132k points)
edited by

Rebex SFTP library runs over SSH, not TLS/SSL, and thus remains unaffected until practical collision attacks on SHA-1 appear. The SLOTH paper recommends disabling SHA-1 signatures "as soon as practical", but this is not yet possible because the common SSH host key ciphers ssh-rsa and ssh-dss are still widely used. However, starting with Rebex SFTP 2016 R3, they can be disabled if your server supports either RSA with SHA-256 hash (ssh-rsa-sha256@ssh.com cipher) or ECDSA (ecdsa-sha2-nistp256, ecdsa-sha2-nistp384 or ecdsa-sha2-nistp521 ciphers).

Rebex FTP/SSL library runs over TLS/SSL and was affected by SLOTH vulnerability. This has been fixed in Rebex FTP/SSL 2016 R1.1.