Forum » Support and Bug Reports »

Heartbleed bug in OpenSSL

CWincentsen Guest

Heartbleed bug in OpenSSL

2014-04-09 07:15

I just learned of what is considered to be a serious bug in several versions of OpenSSL. I'm concerned that this might/probably affects some recent installations of WinSCP and wanted to alert development to the issue, in case you weren't aware of it already.

This link connects to detailed information about the bug and which versions of OpenSSL are affected... https://heartbleed.com/

Reply with quote

Freitag
Joined:: 2007-10-25
Posts:: 75

2014-04-09 07:23

This heartbleed bug is a server side problem and should not be an issue for client software like WinSCP.

EDIT: a related post https://winscp.net/forum/viewtopic.php?t=13730

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,392
Location:: Prague, Czechia

Re: Heartbleed bug in OpenSSL

2014-04-09

This bug is tracked here:
https://winscp.net/tracker/1151

We are working on a fix.

It actually affects even clients:
https://security.stackexchange.com/q/55119/43677

Though obviously it is a way more difficult to abuse this on a client side (than on a server side).

Note that OpenSSL is used with FTP over TLS/SSL only. Majority (about 98%) of WinSCP users use SSH (SFTP/SCP) and plain FTP only and are NOT affected!

Reply with quote

Midnitelouie Guest

WinSCP 5.5.3?

2014-04-09 15:28

Showing on the bug report that you've got it fixed in 5.5.3, but no location as to being able to download the package?

Reply with quote

Iruwen Guest

2014-04-09 15:38

We are working on a fix.

It actually affects even clients:
https://security.stackexchange.com/q/55119/43677

Yes it does, but not SSH (and thus SCP/SFTP) clients because SSH obviously doesn't use TLS heartbeats, so WinSCP and other SSH clients shouldn't be affected at all?

Reply with quote

martin◆ Site Admin

Re: WinSCP 5.5.3?

2014-04-09

Midnitelouie wrote:

Showing on the bug report that you've got it fixed in 5.5.3, but no location as to being able to download the package?

It's not released yet. We plan to release 5.5.3 in few days.

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,392
Location:: Prague, Czechia

2014-04-09

Iruwen wrote:

Yes it does, but not SSH (and thus SCP/SFTP) clients because SSH obviously doesn't use TLS heartbeats, so WinSCP and other SSH clients shouldn't be affected at all?

That's true. But WinSCP is also TLS/SSL client, when used with FTP over TLS/SSL. Majority (about 98%) of WinSCP users use SSH (SFTP/SCP) and plain FTP only and are NOT affected!

Reply with quote

Iruwen Guest

2014-04-09 17:15

Whoah, I never even noticed that WinSCP supports encrypted FTP until right now :D

Reply with quote

Craig Guest

WinSCP Version Number

2014-04-11 20:38

While I am aware of the registry key containing the version number of WinSCP:

reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\winscp3_is1" /v "DisplayVersion"

Is there a way to output the version number at the command line from winscp.exe?

I am looking for the most efficient and effective way of finding vulnerable versions en masse on large numbers of systems.

Craig

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,392
Location:: Prague, Czechia

Re: WinSCP Version Number

2014-04-11

Craig wrote:

Is there a way to output the version number at the command line from winscp.exe?

C:\test>WinSCP.com /?
WinSCP, Version 5.5.2 (Build 4130)
Copyright (c) 2000-2014 Martin Prikryl
...

Reply with quote

Craig Guest

Re: WinSCP Version Number

2014-04-11 21:08

martin wrote:

C:\test>WinSCP.com /?
WinSCP, Version 5.5.2 (Build 4130)
Copyright (c) 2000-2014 Martin Prikryl
...

Thank you. I was boneheadedly trying winscp.exe and overlooking winscp.com.

Thanks for the quick reply.

Craig

Reply with quote

CoreyB Guest

WINSCP.EXE to FTPS site

2014-04-23 19:44

If I am using WINSCP.EXE command line to connect to an FTPS site, do I need to upgrade to new version due to HeartBleed?

Reply with quote

schaitel Guest

What about the .NET interop?

2014-04-24 19:40

We use the .NET interop DLL in SSIS packages for FTP and SFTP, is installing version 5.5.3 enough or do we need to also register and upgrade to the latest Interop DLL?

Reply with quote

martin◆ Site Admin

Re: WINSCP.EXE to FTPS site

2014-04-25

CoreyB wrote:

If I am using WINSCP.EXE command line to connect to an FTPS site, do I need to upgrade to new version due to HeartBleed?

Yes, you should upgrade. Actually you should always upgrade, when there's a new version available.

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,392
Location:: Prague, Czechia

Re: What about the .NET interop?

2014-04-25

schaitel wrote:

We use the .NET interop DLL in SSIS packages for FTP and SFTP, is installing version 5.5.3 enough or do we need to also register and upgrade to the latest Interop DLL?

What do you mean by ".NET interop DLL"? Do you mean WinSCP .NET assembly? You always need to upgrade that along with WinSCP. You cannot use different versions of WinSCP and WinSCP .NET assembly together.

Reply with quote

You can post new topics in this forum