Ron Bowes

**Name of the Vulnerable Software and Affected Versions** South River Technologies' Titan MFT and Titan SFTP servers (affected versions not specified) **Description** The issue is related to insufficient path validation when extracting a zip archive, allowing an authenticated attacker to write a file to any location on the filesystem via path traversal. This can be exploited by a remote attacker to record files in arbitrary locations of the file system. **Recommendations** For South River Technologies' Titan MFT and Titan SFTP servers, consider restricting access to the zip archive extraction functionality until a patch is available. As a temporary workaround, consider disabling the zip archive extraction feature to minimize the risk of exploitation. Avoid using the vulnerable path validation mechanism in the affected servers until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** South River Technologies' Titan MFT and Titan SFTP servers (affected versions not specified) **Description** The issue is related to insufficient path validation in the Titan MFT and Titan SFTP servers, allowing an authenticated attacker with administrative privileges to read any file on the filesystem via path traversal. This can be exploited by a remote attacker to access arbitrary files in the file system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Titan MFT and Titan SFTP servers (affected versions not specified) **Description** The issue is related to insufficient path validation in the Titan MFT and Titan SFTP servers, allowing an authenticated attacker to obtain the size of an arbitrary file on the filesystem. This can be achieved through path traversal in the ftp "SIZE" command. **Recommendations** For Titan MFT and Titan SFTP servers, consider restricting access to the ftp "SIZE" command until a patch is available. As a temporary workaround, limit the ability of authenticated attackers to perform path traversal attacks by implementing additional validation on file paths. Avoid using the ftp "SIZE" command with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** South River Technologies' Titan MFT and Titan SFTP servers (affected versions not specified) **Description** The issue is related to default file permissions on South River Technologies' Titan MFT and Titan SFTP servers on Linux, allowing a user authenticated to the OS to read sensitive files on the filesystem. This could potentially lead to unauthorized access to protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** South River Technologies' Titan MFT and Titan SFTP servers (affected versions not specified) **Description** The issue is related to insufficient path validation when writing a file via WebDAV, allowing an authenticated attacker to write a file to any location on the filesystem via path traversal. This affects South River Technologies' Titan MFT and Titan SFTP servers on Linux. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** South River Technologies' Titan MFT and Titan SFTP servers (affected versions not specified) **Description** A session fixation issue allows an attacker to bypass server authentication by tricking an administrator into authorizing a session ID of their choice. This could potentially enable a remote attacker to execute arbitrary code by writing a file to an arbitrary location on the file system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JSCAPE MFT Server versions prior to 2023.1.9 **Description** The issue is related to unsafe deserialization in the JSCAPE MFT Server, which allows an attacker to execute arbitrary Java code, including OS commands, via its management interface. This can be achieved by sending a specially crafted Java object in XML encoding. The estimated number of potentially affected devices worldwide is around 1,129, according to ZoomEye. **Recommendations** For versions prior to 2023.1.9, update to version 2023.1.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the management interface to minimize the risk of exploitation. Avoid using the vulnerable deserialization mechanism until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Fortra Globalscape EFT versions prior to 8.1.0.16 **Description** The issue concerns an out of bounds memory read in the administration server, which can be exploited to crash the service or bypass authentication. **Recommendations** For versions prior to 8.1.0.16, update to version 8.1.0.16 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Fortra Globalscape EFT versions prior to 8.1.0.16 **Description** The issue is related to a denial of service, where a compressed message that decompresses to itself can cause infinite recursion, leading to a service crash. **Recommendations** For versions prior to 8.1.0.16, update to version 8.1.0.16 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Fortra Globalscape EFT (affected versions not specified) **Description** The administration server of Fortra Globalscape EFT has an information disclosure issue. This allows the serial number of the hard drive where Globalscape is installed to be found remotely. The issue happens when a "trial extension request" message is sent. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Rocket Software UniData versions prior to 8.2.4 build 3003 Rocket Software UniVerse versions prior to 11.3.5 build 1001 Rocket Software UniVerse versions prior to 12.2.1 build 2002 **Description** The issue is related to a stack-based buffer overflow in the `udadmin` service, which can lead to remote code execution as the root user. This allows a remote attacker to execute arbitrary code. **Recommendations** For Rocket Software UniData versions prior to 8.2.4 build 3003, update to version 8.2.4 build 3003 or later. For Rocket Software UniVerse versions prior to 11.3.5 build 1001, update to version 11.3.5 build 1001 or later. For Rocket Software UniVerse versions prior to 12.2.1 build 2002, update to version 12.2.1 build 2002 or later. As a temporary workaround, consider disabling the `udadmin` service until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Rocket Software UniData versions prior to 8.2.4 build 3003 Rocket Software UniVerse versions prior to 11.3.5 build 1001 Rocket Software UniVerse versions prior to 12.2.1 build 2002 **Description** The issue is a heap-based buffer overflow in the unirpcd daemon. If successfully exploited, it can lead to remote code execution as the root user. **Recommendations** For Rocket Software UniData versions prior to 8.2.4 build 3003, update to version 8.2.4 build 3003 or later. For Rocket Software UniVerse versions prior to 11.3.5 build 1001, update to version 11.3.5 build 1001 or later. For Rocket Software UniVerse versions prior to 12.2.1 build 2002, update to version 12.2.1 build 2002 or later. As a temporary workaround, consider disabling the unirpcd daemon until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Rocket Software UniData versions prior to 8.2.4 build 3003 Rocket Software UniVerse versions prior to 11.3.5 build 1001 Rocket Software UniVerse versions prior to 12.2.1 build 2002 **Description** The issue is a stack-based buffer overflow that can lead to remote code execution as the root user. **Recommendations** For Rocket Software UniData versions prior to 8.2.4 build 3003, update to version 8.2.4 build 3003 or later. For Rocket Software UniVerse versions prior to 11.3.5 build 1001, update to version 11.3.5 build 1001 or later. For Rocket Software UniVerse versions prior to 12.2.1 build 2002, update to version 12.2.1 build 2002 or later.

**Name of the Vulnerable Software and Affected Versions** Rocket Software UniData versions prior to 8.2.4 build 3003 Rocket Software UniVerse versions prior to 11.3.5 build 1001 Rocket Software UniVerse versions prior to 12.2.1 build 2002 **Description** The issue is a stack-based buffer overflow that occurs when a string is copied into a buffer using a memcpy-like function and a user-provided length. This requires a valid login to exploit. **Recommendations** For Rocket Software UniData versions prior to 8.2.4 build 3003, update to version 8.2.4 build 3003 or later. For Rocket Software UniVerse versions prior to 11.3.5 build 1001, update to version 11.3.5 build 1001 or later. For Rocket Software UniVerse versions prior to 12.2.1 build 2002, update to version 12.2.1 build 2002 or later.

**Name of the Vulnerable Software and Affected Versions** Rocket Software UniData versions prior to 8.2.4 build 3003 Rocket Software UniVerse versions prior to 11.3.5 build 1001 Rocket Software UniVerse versions prior to 12.2.1 build 2002 **Description** The issue is a memory-exhaustion problem where a decompression routine allocates increasing amounts of memory until all system memory is exhausted, causing the forked process to crash. **Recommendations** For Rocket Software UniData versions prior to 8.2.4 build 3003, update to version 8.2.4 build 3003 or later. For Rocket Software UniVerse versions prior to 11.3.5 build 1001, update to version 11.3.5 build 1001 or later. For Rocket Software UniVerse versions prior to 12.2.1 build 2002, update to version 12.2.1 build 2002 or later.

**Name of the Vulnerable Software and Affected Versions** Rocket Software UniData versions prior to 8.2.4 build 3003 Rocket Software UniVerse versions prior to 11.3.5 build 1001 Rocket Software UniVerse versions prior to 12.2.1 build 2002 **Description** The issue is a heap-based overflow vulnerability. Certain input can corrupt the heap and crash the forked process. **Recommendations** For Rocket Software UniData versions prior to 8.2.4 build 3003, update to version 8.2.4 build 3003 or later. For Rocket Software UniVerse versions prior to 11.3.5 build 1001, update to version 11.3.5 build 1001 or later. For Rocket Software UniVerse versions prior to 12.2.1 build 2002, update to version 12.2.1 build 2002 or later.

**Name of the Vulnerable Software and Affected Versions** Rocket Software UniData versions prior to 8.2.4 build 3003 Rocket Software UniVerse versions prior to 11.3.5 build 1001 Rocket Software UniVerse versions prior to 12.2.1 build 2002 **Description** The issue concerns the use of weak encryption for packet-level security and passwords transferred on the wire. **Recommendations** For Rocket Software UniData versions prior to 8.2.4 build 3003, update to version 8.2.4 build 3003 or later. For Rocket Software UniVerse versions prior to 11.3.5 build 1001, update to version 11.3.5 build 1001 or later. For Rocket Software UniVerse versions prior to 12.2.1 build 2002, update to version 12.2.1 build 2002 or later.

**Name of the Vulnerable Software and Affected Versions** Rocket Software UniData versions prior to 8.2.4 build 3003 Rocket Software UniVerse versions prior to 11.3.5 build 1001 Rocket Software UniVerse versions prior to 12.2.1 build 2002 **Description** The issue is related to a buffer overflow in an API function of Rocket Software UniData and UniVerse, where a string is copied into a caller-provided buffer without checking the length. This can be exploited by a remote attacker with a valid login, potentially allowing the execution of arbitrary code. **Recommendations** For Rocket Software UniData versions prior to 8.2.4 build 3003, update to version 8.2.4 build 3003 or later. For Rocket Software UniVerse versions prior to 11.3.5 build 1001, update to version 11.3.5 build 1001 or later. For Rocket Software UniVerse versions prior to 12.2.1 build 2002, update to version 12.2.1 build 2002 or later. As a temporary workaround, consider restricting access to the vulnerable API function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Rocket Software UniData versions prior to 8.2.4 build 3003 Rocket Software UniVerse versions prior to 11.3.5 build 1001 Rocket Software UniVerse versions prior to 12.2.1 build 2002 **Description** The issue is related to an authentication bypass vulnerability in the `do log on user()` function of Rocket Software UniData and UniVerse UniRPC. This vulnerability can be exploited by a remote attacker to bypass security restrictions and execute arbitrary commands as the root user. The vulnerability can be leveraged using a special username with a deterministic password to bypass authentication checks. **Recommendations** For Rocket Software UniData versions prior to 8.2.4 build 3003, update to version 8.2.4 build 3003 or later to resolve the issue. For Rocket Software UniVerse versions prior to 11.3.5 build 1001, update to version 11.3.5 build 1001 or later to resolve the issue. For Rocket Software UniVerse versions prior to 12.2.1 build 2002, update to version 12.2.1 build 2002 or later to resolve the issue. As a temporary workaround, consider restricting access to the `do log on user()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Fortra GoAnywhere MFT versions prior to 7.1.2 **Description** Fortra GoAnywhere MFT is susceptible to a pre-authentication command injection due to the deserialization of attacker-controlled objects within the License Response Servlet. The Clop ransomware group actively exploited this issue, identified as CVE-2023-0669, to steal data from over 130 organizations within a ten-day period. The vulnerability allows attackers to execute arbitrary code by sending a POST request to the `/goanywhere/lic/accept` endpoint with a malicious object. The exploitation of this vulnerability has been linked to TA505 and the Clop ransomware group, mirroring tactics used in previous attacks against Accellion FTA in 2021. The vulnerability requires the administrative functions to be exposed over the internet, typically on ports 8000/tcp and 8001/tcp/tls. **Recommendations** Update Fortra GoAnywhere MFT to version 7.1.2 or later. Restrict access to the administrative console to prevent external access. As a temporary workaround, consider disabling the License Response Servlet until a patch can be applied. Monitor network traffic and logs for suspicious activity related to the `/goanywhere/lic/accept` endpoint.