Which versions of the Windows TLS/SSL file transfer software like WinSCP and FileZilla are not affected by Heartbleed?

2

2

I noticed that many people still use versions affected by the heartbleed vulnerability of wide spread TLS/SSL enabled Windows clients like WinSCP and Filezilla.

To be able to make safe recommendations, I want to have a list with safe versions.

Probably there are old versions which use OpenSSL before 1.0.1 (see http://heartbleed.com/) that seem safe to use (if there are no other reasons not to use them).

For example WinSCP 5.5.3 (not released yet) will be safe with TLS/SSL core upgraded to OpenSSL 1.0.1g.

WinSCP 4.3.7 seems to be not yet affected because it has OpenSSL before 1.0.1, can someone confirm this and is there a later version that works?

What about Filezilla?

mit

Posted 2014-04-09T16:18:56.430

Reputation: 1 369

3PuTTY? PuTTY does not have any SSL support at all... – user1686 – 2014-04-09T16:21:00.790

2Filezilla uses GnuTLS for its TLS implementation, so it is not affected by Heartbleed. – heavyd – 2014-04-09T16:39:44.790

1There are no versions before the current release of OpenSSL that should be use because earlier versions are vulnerable. – Ramhound – 2014-04-09T16:49:50.003

A list of Heartbleed responses from file transfer server software and projects has been posted here: http://www.filetransferconsulting.com/managed-file-transfer-heartbleed-ftp-server/ (Some are affected, many are not.)

– user87481 – 2014-04-10T15:59:10.903

Answers

5

WinSCP used the affected OpenSSL 1.0.1 since versions 4.3.8 and 5.0.7 beta in respective branches.

WinSCP 5.5.3 upgraded to the OpenSSL 1.0.1g to address the vulnerability. Branch 4.x is not supported anymore and is not planned to be upgraded.

Note that OpenSSL is used by WinSCP with FTP over TLS/SSL only. Majority (about 98%) of WinSCP users use SSH (SFTP/SCP) and plain FTP only and are NOT affected!

The vulnerability is tracked here:
https://winscp.net/tracker/1151

FileZilla replaced OpenSSL 0.9.8d with GnuTLS since version 3.0, so there is no vulnerable version of FileZilla.

Fortunately an exploit of the vulnerability in clients is less probable than in servers. As a client you are in charge of where you connect to. I.e. do not connect to servers, you do not trust.

Martin Prikryl

Posted 2014-04-09T16:18:56.430

Reputation: 13 764

Asked: 2014-04-09T16:18:56.430

Viewed: 2 645 times

Active: 2018-01-18T10:38:37.340