Bitvise FlowSsh Version History
For issues that might arise using the latest FlowSsh versions, see Known issues.
Security Clarification: [ April 2024 ]
We are receiving inquiries about whether our software is affected by the recent PuTTY ECDSA/nistp521 private key compromise due to signature nonce generation described in CVE-2024-31497.
Bitvise software implements ECDSA/nistp521 using Windows cryptography on all recent versions of Windows, or using Crypto++ on Windows XP and Windows Server 2003. These are different cryptographic implementations than PuTTY and are not known to be affected by this issue.
Security Clarification: [ April 2024 ]
We are receiving inquiries about whether our software is affected by the recent XZ Utils backdoor described in CVE-2024-3094.
Bitvise software does not use XZ Utils and is not affected by this issue.
Changes in FlowSsh 9.34: [ 11 April 2024 ]
SSH:
When FlowSsh fails to connect to a server, the error message now contains more detailed information about IP addresses to which the library attempted to connect.
SFTP:
When the server supports synchronization using block-by-block hashing, the Resume and Overwrite file transfer flags now once again behave differently. This allows the application to express a preference to resume a file, but only if the partial destination file is unchanged relative to the source.
When uploading, the FlowSsh now includes the extended SFTP attribute intended-size@bitvise.com to communicate the final intended size of the file. This can help detect and diagnose incomplete transfers.
The following new file transfer flags are supported:
ResumeVerifiable: Acts like Resume, but does not resume unless the server supports synchronization using block-by-block hashing. This avoids corruption which is possible if heuristic resume detects the file can be resumed, but there are subtle changes in the middle of the file.
NoSync: Disables synchronization using block-by-block hashing, even if the server supports it. This can be used with Resume to achieve a faster heuristic resume, but corruption is possible if there are subtle changes in the middle of the file.
NoBuf_PreferYes and NoBuf_PreferNo: If the server supports the extended SFTP attribute no-buffering@bitvise.com, this allows the application to express a preference whether the server should open the file for unbuffered I/O.
Changes in FlowSsh 9.32: [ 20 December 2023 ]
Security:
Terrapin - CVE-2023-48795: Researchers have identified an issue where all SSH connections which use the encryption algorithm ChaCha20-Poly1305, or any integrity algorithm of type encrypt-then-MAC, are vulnerable to packet sequence manipulation by an active attacker, if the attacker can intercept the network path. This can be used to sabotage SSH extension negotiation. This affects extensions with security impact, such as server-sig-algs.
Since the attacker can only remove packets sent before user authentication, this does not seem to fatally break the security of the SSH connection. However, it is a cryptographic weakness to address.
Bitvise software versions 9.32 and newer support strict key exchange. This is a new SSH protocol feature which mitigates this attack. The SSH client and server must both implement strict key exchange for mitigation to be effective. Other SSH software authors are also releasing new versions to support this.
If you must interoperate with SSH software which does not support strict key exchange, consider disabling the encryption algorithm ChaCha20-Poly1305, as well as integrity algorithms of type encrypt-then-MAC. These are the newer data integrity protection algorithms whose names contain -etm.
Bitvise software versions 8.xx and older are not substantially affected because they do not implement algorithms where this issue is practically exploitable. Nevertheless, we suggest updating all SSH software to new versions that support strict key exchange.
The encryption algorithms aes256-gcm and aes128-gcm are substantially immune from this attack. Users who are committed to older SSH software versions should consider using AES GCM. If this is not possible, the data integrity protection algorithms which are not named -etm are not entirely immune, but are also not believed to be practically exploitable. For compatibility with SSH software which does not support strict key exchange or AES GCM, an algorithm combination such as AES CTR with non-ETM data integrity protection may continue to be acceptable.
SFTP:
FlowSsh now prefers to open remote files using the flags SSH_FXF_BLOCK_WRITE and SSH_FXF_BLOCK_ADVISORY, instead of only SSH_FXF_BLOCK_WRITE. This allows the server to strip the block flag if it is not supported by a part of its filesystem.
Changes in FlowSsh 9.27: [ 14 February 2023 ]
OpenSSL version updated to 1.1.1t. Bitvise software primarily uses Windows CNG for cryptography. We use OpenSSL for specific cryptographic algorithms not supported by Windows. Currently, these are chacha20-poly1305 and the elliptic curve secp256k1 on older Windows versions. Our software does not use OpenSSL features affected by recent OpenSSL security advisories.
Changes in FlowSsh 9.15: [ 5 February 2022 ]
When using one of the key exchange methods with Diffie Hellman group exchange, Bitvise SSH Client and FlowSsh could perform an invalid memory access. Invalid DH group size parameters could be sent to the server. Fixed.
Changes in FlowSsh 9.12: [ 1 January 2022 ]
Cryptography:
The AEAD algorithm chacha20-poly1305 is now supported.
Encrypt-then-MAC algorithms hmac-sha2-256-etm and hmac-sha2-512-etm are now supported.
The MAC algorithm hmac-sha2-512 is now supported (in addition to the previously existing hmac-sha2-256).
Key exchange and MAC algorithms that use SHA-1 are now disabled by default.
PowerShell:
The Keypair and PublicKey classes now provide named constructor functions so the objects can be created more easily from PowerShell. The new constructors are: Keypair.CreateNew, Keypair.CreateFromData; PublicKey.CreateFromKeypair, PublicKey.CreateFromData.
SSH:
Bitvise SSH Server, SSH Client and FlowSsh now support a client-session-id global request. This allows a client to identify a new connection as a continuation of a session established in a previous connection. The previous connection may have disconnected abruptly in a way such that the server has not yet detected the disconnection. The "client-session-id" helps the server identify and disconnect the previous connection, cleaning up resources so that they can be available to the new connection.
SFTP:
The graphical SSH Client, the command-line client sftpc, as well as FlowSshC/Cpp/Net, now support opening the SFTP channel using a custom subsytem. This can be used with Unix-style servers that require "sudo" to open SFTP with administrative (root) privileges. For example: "sudo /usr/lib/openssh/sftp-server"
General:
A specific connect-from interface can now be configured for outgoing connections. This allows the connection to originate from a specific network interface, instead of the default network interface used by Windows.
Changes in FlowSsh 8.53: [ 5 February 2022 ]
When using one of the key exchange methods with Diffie Hellman group exchange, Bitvise SSH Client and FlowSsh could perform an invalid memory access. Invalid DH group size parameters could be sent to the server. Fixed.
Changes in FlowSsh 8.48: [ 18 May 2021 ]
SFTP:
FlowSsh 8.47 introduced an issue where text file uploads would not work when using the file transfer modes AutoStd or Text, which are available in SFTP protocol versions 4 and 6. Fixed.
When downloading a file using the AutoStd file transfer mode, which is available in SFTP protocol versions 4 and 6, FlowSsh first opens the file in binary mode. If the file appears to be textual, FlowSsh closes and reopens the file using the flag SSH_FXF_TEXT_MODE.
Some servers do not handle this scenario gracefully and do not allow the file to be reopened. With these servers, the AutoStd mode cannot work. When such a server fails the reopen attempt, FlowSsh would previously perform a non-exploitable null pointer read due to a failed dynamic cast. Such an error will now be gracefully reported.
Changes in FlowSsh 8.47: [ 3 April 2021 ]
Version information:
This version continues an upgrade access amnesty so that all users who could use a previous 8.xx version can update to the latest version with accumulated fixes. The minimum upgrade access to use this version is October 23, 2018.
SSH:
FlowSsh will now recognize a server with "MFT" in its SSH version string as a variant of "J2SSH_Maverick". This means FlowSsh will no longer send SSH_MSG_EXT_INFO by default to such servers. See the previous compatibility change for J2SSH_Maverick, in version history for FlowSsh version 8.42.
SFTP:
When uploading files using SFTP v6; and if the server advertises support for either the block flag SSH_FXF_BLOCK_WRITE or the combination SSH_FXF_BLOCK_WRITE | SSH_FXF_BLOCK_ADVISORY; then FlowSsh will now request one of these block flags when opening the file. This is to prevent premature actions by other server-side processes or file transfer clients that can modify or corrupt the file before the upload is complete.
Since some servers falsely advertise support for block flags they do not support, FlowSsh will detect such a response to a file open request, and retry without the flags.
Improved compatibility with blind drop servers when uploading and downloading. The procedures now attempt to perform the transfer instead of failing after preliminary errors that are common in blind drop situations.
Changes in FlowSsh 8.44: [ 4 October 2020 ]
SSH:
Bitvise SSH Client and FlowSsh will now recognize servers with "Maverick_SSHD" and "GoAnywhere" in their SSH version strings as variants of "J2SSH_Maverick". This means Bitvise SSH Client and FlowSsh will no longer send SSH_MSG_EXT_INFO by default to such servers. See the previous compatibility change for J2SSH_Maverick, in version history for Bitvise SSH Client and FlowSsh versions 8.42.
Applications using FlowSshC/Cpp/Net can now customize whether to use the elevation and no-flow-control extensions; whether to send the client-side SSH_MSG_EXT_INFO message; and whether to enable the sending of global requests. In FlowSshC, this is done using the new FlowSshC_Options2. In FlowSshCpp and FlowSshNet, it is done using the existing Options structures.
Changes in FlowSsh 8.42: [ 9 May 2020 ]
Version information:
This is not a new feature release, but a successor to 8.36 with continued maintenance updates.
We skip versions containing zeros to avoid misunderstandings. For example, 8.04 and 8.40 might both be called "8.4".
Compatibility:
Current and previous FlowSsh versions do not support Windows 10 versions 1507 and 1511. These versions contain a flawed cryptographic implementation which prevents a number of SSH algorithms from working correctly. The lowest Windows 10 version supported is 1607.
SSH:
In rare circumstances, an SSH session could terminate in such a way that the application would crash. Fixed.
The CrushFTP server, and other servers based on the J2SSH Maverick implementation, may advertise support for SSH_MSG_EXT_INFO (RFC 8308), but have a bug where the server disconnects if the client sends this message. FlowSsh now attempts to detect these servers based on their SSH version strings, and disable sending of the client-side SSH_MSG_EXT_INFO if detected.
OpenSSH 6.2 and 6.3 can be configured to enable AES GCM, but crash if it is used. Bitvise software versions 8.42 and higher will now disable AES GCM if the remote version string indicates an affected OpenSSH version.
SFTP:
The SFTP server which identifies itself as "SSH-2.0-SFTP Server" has a flawed SFTP v4+ text mode implementation. The default transfer mode with this server will now be Binary instead of AutoStd.
Security Notification: [ 27 October 2019 ]
Authors of the Minerva attack have identified a small but significant timing information leak in the Crypto++ implementation of ECDSA over prime field curves. This attack may allow discovery of a private key through repeated observation of signature timing. If the leak can be utilized, an attacker could compromise a server host key or a client authentication key using a practical number of connections across a network.
The following is the impact on Bitvise SSH Server, SSH Client and FlowSsh versions before 8.36:
On all recent Windows versions (Vista and higher), there is no effect on users of Bitvise software versions 7.xx and 8.xx who use private keys of algorithms RSA, Ed25519, or ECDSA over the NIST curves nistp256, nistp384 or nistp521. On all recent versions of Windows, and using recent Bitvise software versions, these algorithms use Windows cryptography, which is unaffected by Minerva. In the case of Ed25519, we similarly use a non-Crypto++ implementation, which is unaffected.
On all versions of Windows, using all versions of Bitvise software, the Minerva issue may apply to users who generated, and are using, host keys or client keys of type ECDSA/secp256k1. Bitvise software versions 8.35 and earlier use Crypto++ to implement this algorithm on all platforms. We encourage such users to update to our latest software versions.
On Windows XP and Windows Server 2003, regardless of Bitvise software version; and for Bitvise software versions 5.xx and 6.xx, regardless of Windows version; the Minerva issue may apply to users of ECDSA private keys of any type. We encourage such users to update to our latest software versions, and/or to update to newer versions of Windows.
With Bitvise SSH Server, SSH Client and FlowSsh 8.36, we are releasing the following mitigations:
On all recent Windows versions (Vista and higher), where we previously used Crypto++ to support ECDSA/secp256k1, we are switching to alternatives. If the version of Windows is recent enough (for example, Windows 10, Windows Server 2016 and 2019), our default cryptographic provider (CiWinCng) now uses Windows cryptography to support ECDSA/secp256k1 as well as ECDH/secp256k1. Where Windows does not support secp256k1 (for example, Windows Vista to 8.1 and Windows Server 2008 to 2012 R2), we now support it using OpenSSL.
On Windows XP and Windows Server 2003, we face the issue that maintained cryptographic libraries that continue to support these platforms are hard to switch to and harder to find, while the number of users is small and diminishing. In current versions, we continue to rely on Crypto++ on these platforms, but implement mitigations to make it harder or impossible to observe signature timing across the network.
On all versions of Windows, we continue to use Crypto++ to support non-standard DSA keys. These are DSA keys as used in SSH of size other than 1024 bits. Since versions 7.xx, we have discouraged the use of DSA keys of any size. Also, DSA is not within scope of the Minerva research, so the current attack does not apply directly. Nevertheless, because we use Crypto++ to support non-standard DSA keys on all platforms, we now activate mitigations for these keys to make it harder or impossible to observe signature timing remotely.
Changes in FlowSsh 8.36: [ 27 October 2019 ]
Implemented mitigations for the Minerva attack as discussed in the security notification:
On Windows 10, Windows Server 2016 and 2019, the algorithms ECDSA/secp256k1 and ECDH/secp256k1 now use Windows cryptography. As a result, these algorithms are now also available when FIPS mode is enabled in Windows.
On Windows Vista to 8.1, and Windows Server 2008 to 2012 R2, the algorithms ECDSA/secp256k1 and ECDH/secp256k1 now use OpenSSL instead of Crypto++. As a side effect, use of these algorithms on Windows Vista now requires at least Service Pack 1 (OpenSSL will fail to initialize on Vista without service packs).
On Windows XP and Windows Server 2003, our software continues to use Crypto++ for all algorithms, but implements mitigations to make it harder or impossible to observe signature timing remotely. Continuing support for these Windows versions is increasingly impractical for multiple reasons including cryptography. Like Microsoft and other software vendors have done, we will need to stop supporting these platforms eventually, but we still support them right now.
Changes in FlowSsh 8.35: [ 20 August 2019 ]
Fixed a deadlock which could occur in FlowSshC/Cpp/Net if a directory listing or file transfer was aborted by closing the SFTP channel after SSH_FXP_OPEN or SSH_FXP_OPENDIR was sent, but before SSH_FXP_HANDLE was received.
There exist interim, but deployed versions of SSH implementations including SmartFTP which implement the no-flow-control extension based on a previous, non-final draft where the extension value was empty. FlowSsh will now no longer disconnect when receiving an unrecognized no-flow-control extension value, but will attempt to continue; and will now treat an empty value as if the remote party sent "p" (for "preferred").
Very old PuTTY versions before 0.58 are now treated as not global-request capable. When these versions are waiting for a channel open confirmation, they will treat any packet other than a channel open confirmation as a failure (including if the packet is a global request).
Changes in FlowSsh 8.31: [ 15 April 2019 ]
Fixed a memory safety issue which seems to be hard to trigger, but could have security ramifications.
Via a user report, we identified a type of Dropbear server which does not respond to SSH_MSG_GLOBAL_REQUEST. This may work properly in other Dropbear servers, but since the affected server cannot be distinguished from others by its SSH version string, FlowSsh will no longer send global requests to Dropbear servers.
Changes in FlowSsh 8.23: [ 27 December 2018 ]
Fixed an issue in previous 8.xx versions which would prevent Bitvise SSH Client and FlowSsh from connecting to a server that supports host key synchronization and employs a key type the client does not support. This affected connections from Windows XP and Windows Server 2003, where our cryptographic provider does not support Ed25519; and use under FIPS mode, where Ed25519 and ECDSA/secp256k1 are not supported.
Changes in FlowSsh 8.21: [ 17 December 2018 ]
In version 8.15, FlowSsh would not use RSA private or public keys larger than 8192 bits. This limit is once again 16384 bits.
If the server implements RFC 8308, FlowSsh now includes the extension "global-requests-ok" in its SSH_MSG_EXT_INFO.
Remote version string parsing for compatibility decisions is now consolidated and unified.
Changes in FlowSsh 8.15: [ 28 October 2018 ]
FlowSsh now supports automatic host key rotation. The application can implement a handler to synchronize keys from Bitvise SSH Server and any other servers that support the OpenSSH mechanism "hostkey update and rotation". Bitvise SSH Server will announce to clients all configured host keys, including those not employed, to facilitate host key rotation. A FlowSsh application can automatically trust new host keys announced by a trusted server and remove any keys the server has removed.
FlowSsh now relays to the application any descriptions configured on the server for server-configured port forwarding rules.
A new file transfer mode, TextLf, is now supported. This works the same as AutoLf, but forces newline conversions without relying on file type detection.
Bitvise SSH Server, SSH Client and FlowSsh once again support non-standard DSA keys larger than 1024 bits. We do not recommend using these keys, and new keys of this type cannot be generated. Also, these keys cannot be used when FIPS mode cryptography is enabled in Windows. Re-adding support for these keys is intended to resolve an obstacle that may still be preventing some users of 6.xx versions from upgrading.
When using Windows cryptography, Bitvise SSH Server, SSH Client and FlowSsh now implement a backup strategy for DH and ECDH key exchange. Windows implements key exchange, but it does not expose the agreed value in a form suitable for SSH. Bitvise software must retrieve the value by carefully traversing undocumented Windows structures. In versions 7.xx, this required our software to be upgraded to continue working after the Windows 10 1803 update. FlowSsh will now fall back to Crypto++ if it cannot perform key exchange because Windows internal structures have changed. However: if FIPS mode is enabled in Windows, this backup strategy is not used, and FlowSsh must be updated.
When importing keys, such as from files, the stage at which an import failed is now described in more detail.
FlowSsh now supports the delay-compression extension. Delayed compression reduces a server's attack surface for unauthenticated clients by delaying availability of compression until after a user is authenticated. The delay-compression extension is an improvement over previously supported alternatives: the zlib@openssh.com method contains a by-design race condition, while the approach of invoking a second key exchange doubles the overhead of establishing an SSH session.
Security Clarification:
We are receiving occasional inquiries about whether our software is affected by the libssh vulnerability CVE-2018-10933, where a client can bypass authentication by sending an SSH_MSG_USERAUTH_SUCCESS message to the server.
Bitvise software does not share common code with libssh. Our understanding is that the libssh issue arises due to commingling of authentication state for server-side and client-side purposes. In Bitvise software, authentication state is managed in separate client-side and server-side components. The server-side authentication component is not affected by this issue and will ignore any SSH_MSG_USERAUTH_SUCCESS message sent by the client.
Changes in FlowSsh 7.46: [ 14 October 2018 ]
After the SSH session has been terminated by receiving EOF or sending SSH_MSG_DISCONNECT, FlowSsh will now discard any further outgoing SSH packets. This helps avoid a stall in processing and further improves the odds that all previously received data will be processed.
File transfer: Fixed an issue where, if the connection was lost during a download while synchronization was being performed, the local file size would be reset to zero.
As a maintenance release, this version continues an upgrade amnesty. For users with FlowSsh licenses for use in applications independent of Bitvise SSH Client, any FlowSsh activation code that could activate a previous 7.xx version will also activate this version.
Changes in FlowSsh 7.45: [ 11 August 2018 ]
Bitvise SSH Server, SSH Client, and FlowSsh previously did not implement strict size limits or sanitization of content before displaying or logging strings received from a remote party. Much stricter size limits and sanitization are now implemented.
Bitvise SSH Server, SSH Client, and FlowSsh now report the size of the Diffie Hellman group actually used in DH key exchange. This is useful with key exchange methods that use DH group exchange, where there was previously no straightforward way to know what size group was used.
Changes in FlowSsh 7.44: [ 1 July 2018 ]
Cryptography: Implemented support for changes in Windows internal cryptographic structures in Windows Insider Preview Build 17704. This build was released to Windows Insiders in the Fast ring on June 27, 2018.
Users who need to use earlier versions of our software on new Windows builds that change internal structures can work around compatibility issues by using the following key exchange algorithms: Curve25519, ECDH over nistp256k1. These key exchange methods do not rely on Windows cryptography; however, our software does not provide them if FIPS mode is enabled in Windows. Other key exchange methods require upgrading our software to a version that supports the new Windows build.
Changes in FlowSsh 7.43: [ 19 June 2018 ]
File transfer: Fixed issues in past Bitvise software versions that resulted in incorrect file times when using subsecond times with SFTP protocol versions 4 and 6. This would result in incorrect last modified times after a file transfer which affected, on average, about one in several hundred files. Affected files would receive a last modified timestamp incorrect by up to 7+ minutes.
C compatibility: Made necessary changes so that FlowSshC.h can again be used without change using the Microsoft Visual Studio compiler in C mode (not C++ mode).
Security Notification: [ 18 May 2018 ]
We have been informed of, and have taken steps to address:
- A security issue in common functionality used by Bitvise software.
- An initialization issue in a compression library used by Bitvise software.
Issue 1:
This issue consists of an invalid memory access. At this time, we believe this memory access is always invalid and cannot be used for remote code execution.
This issue has the following impact on Bitvise SSH Server and Client:
High severity: When an affected Bitvise SSH Server version is installed on a 32-bit version of Windows, a remote unauthenticated attacker can cause the SSH Server's main service to stop abruptly.
This high severity impact is not present on 64-bit versions of Windows. The following other impacts are present on all versions of Windows.
Lower severity: An authenticated user connected to Bitvise SSH Server who is permitted to use the SFTP subsystem can cause the SFTP subsystem to stop abruptly. This can have an effect on what actions are logged. For example, an error might be logged instead of the last actions taken by the user.
Lower severity: A server to which a user connects using Bitvise SSH Client can cause the SSH Client to stop abruptly. Due to the limited effects, this would not be an interesting attack in most usage scenarios.
Low severity: If a user or administrator imports a specially crafted file when using either the local Bitvise SSH Server Control Panel; the remote Bitvise SSH Server Control Panel; or Bitvise SSH Client; then the process being used to import the file can stop abruptly. Due to the limited effects, this would not be an interesting attack in most usage scenarios.
In addition, this issue has the following impact on applications using FlowSsh:
If an application using the 32-bit version of FlowSsh connects to a server which sends a specially crafted packet that should cause FlowSsh to disconnect, the application will instead stop abruptly. The severity of this impact depends on the characteristics of the application.
At this time, we believe applications using the 64-bit version of FlowSsh are unaffected.
The following versions of our software are affected by issue 1:
- Bitvise SSH Server 6.xx, but not version 6.51 and future versions.
- Bitvise SSH Server 7.xx, but not versions 7.41 and higher.
- Bitvise SSH Client 6.xx and 7.xx, but not versions 7.41 and higher.
- FlowSsh 5.xx and 7.xx, but not version 7.41 and future versions.
We have addressed issue 1 in Bitvise SSH Server, Client, and FlowSsh versions 7.41 and higher. In addition, we have addressed issue 1 for Bitvise SSH Server 6.xx versions due to the high severity impact on 32-bit versions of Windows.
At this time, the limited impact does not seem to warrant applying this change to 6.xx versions of Bitvise SSH Client and FlowSsh. We encourage users of Bitvise SSH Client to upgrade to the latest versions free of charge. Users of FlowSsh 5.xx will need to have upgrade access to a 7.xx version to upgrade.
Issue 2:
Issue 2 consists of incorrect delayed initialization in a compression library used by Bitvise software. We believe this could be used by one SSH session that uses compression to corrupt decompressed data in another simultaneous session that uses compression. However, for this to be likely, there must not have been another session that used compression since application startup. Therefore, the attack would have to occur at the same time as when the first legitimate session that uses compression begins after Bitvise SSH Server or an application using FlowSsh has started.
The following versions of our software are affected by issue 2:
- All older versions of Bitvise SSH Server, but not versions 7.41 and higher.
- All older versions of FlowSsh, but not version 7.41 and future versions.
Bitvise SSH Client only ever establishes one SSH session per process instance, so the issue cannot be exploited. A FlowSsh application could be affected if it simultaneously starts multiple concurrent SSH sessions after launching.
Mitigation:
We recommend that all users of affected Bitvise SSH Server, Client, and FlowSsh versions upgrade to the newest current versions, which can be downloaded from our website:
- The latest version of Bitvise SSH Server โ for example, 7.42 or newer.
- The latest version of Bitvise SSH Client โ for example, 7.42 or newer.
- The latest version of FlowSsh โ for example, 7.41 or newer.
In addition, users of Bitvise SSH Server versions 6.xx who do not wish to upgrade can download version 6.51, which also fixes issue 1, but not issue 2.
Changes in FlowSsh 7.41: [ 29 April 2018 ]
This is not a new feature release, but a successor to 7.39 with continued maintenance updates. (We skip over versions containing zeros to avoid ambiguities. For example, 7.04 and 7.40 might both be referred to as "7.4".)
- SSH:
Fixed an issue in zlib compression provided by the Crypto++ library. There existed a race condition which could cause data to be decompressed incorrectly in specific circumstances. For this to happen, the first SSH session to use compression, and the second SSH session to use compression, would have to be initiated at the same time after the application using FlowSsh is started.
Fixed a denial of service attack vector described in the associated security notification.
- File transfer:
FlowSsh will no longer send fire-and-forget SSH_FXP_CLOSE messages by default. Depending on circumstances such as network latency, Bitvise SSH Server versions up to and including 7.39 could fail to process the SSH_FXP_CLOSE request and incorrectly log that the final transfer may not have completed as intended. This has been fixed in the SSH Server with version 7.41.
Changes in FlowSsh 7.39: [ 20 January 2018 ]
SFTP: In past 7.xx versions, Bitvise SSH Client and FlowSsh would perform a Resume check regardless of the type of server if Overwrite was enabled for upload. We suspect this could cause creation of an empty file with the same name on servers that support creation of multiple files with the same name.
The Resume check will no longer be performed when connected to a server that does not support SFTP v6 check-file and check-file-blocks extensions. With a server that supports these extensions, the Resume check will continue to be performed for Overwrite, since in this case Resume and Overwrite are the same operation.
Security Clarification: [ 5 January 2018 ]
We have received inquiries about whether our software is affected by the Meltdown and Spectre vulnerabilities.
Meltdown and Spectre are fundamentally CPU vulnerabilities which require the attacker to be able to execute carefully selected code, in many cases with high-resolution timers. These vulnerabilities are generally not exploitable in situations where the attacker cannot run such code. If you are using Bitvise software for SFTP or SCP file transfer, port forwarding, Git access, or limited terminal access using the BvShell terminal shell, these types of access do not present an opportunity to exploit these vulnerabilities.
If you are using Bitvise SSH Server to provide terminal shell access to non-administrator users, then if these non-administrator users can run arbitrary programs, they can also run programs that could take advantage of Meltdown to gain administrative access. In this case, we recommend that you apply a Windows patch that attempts to mitigate the CPU vulnerabilities that enable Meltdown.
Changes in FlowSsh 7.36: [ 27 November 2017 ]
- Development, licensing, and US export control:
This is the first version of Bitvise SSH Server, SSH Client, and FlowSsh published from the United States.
All assets, operations, relationships, and agreements related to Bitvise software development and licensing; including license agreements for use of Bitvise software by users; have been transferred from Bitvise Limited incorporated in Gibraltar, to Bitvise Limited now incorporated in Texas.
Final builds are now performed in Texas. Our software development continues in Slovenia, Germany, and Hungary, and may include developers elsewhere in the future.
This move is an administrative change. Our development, ownership, pricing, support, terms and policies and relationship to customers generally remain the same.
For the purpose of export from the United States, our SSH Server, SSH Client and FlowSsh are self-classified as Mass-Market products using the ECCN 5D992, with the encryption authorization type identifier MMKT. These denote eligibility under License Exception ENC ยง 740.17(b)(1) of the Export Administration Regulations (EAR).
Bitvise SSH Server, SSH Client, and FlowSsh now come with new license agreements. Users must review the new EULAs, even though the terms remain substantially the same. We apologize for this inconvenience, and have attempted to draft the agreements in a way that this might not be necessary very often.
- SSH:
Windows 10 version 1709, OS build 17046.1000, changed internal Windows structures in a way that prevented Bitvise SSH Server, SSH Client, and FlowSsh from obtaining the agreed value in DH or ECDH key exchange. This prevented successful SSH connections using this new Windows build. Fixed.
There exist SSH implementations based on WeOnlyDo, e.g. freeSSHd, which might not send failure description and language tag fields when sending an SSH_MSG_CHANNEL_OPEN_FAILURE message. Bitvise SSH Server, SSH Client and FlowSsh will now behave as though these fields were sent as empty strings, instead of disconnecting due to an unexpected packet format.
Changes in FlowSsh 7.35: [ 16 September 2017 ]
We have identified two compatibility issues in current and past versions of mod_sftp for ProFTPD:
- When using SFTP versions 4-6, when a client requests attributes not supported by mod_sftp, the server returns an incorrectly encoded response. With past Bitvise SSH Client and FlowSsh versions, this would result in a disconnect.
- When using SFTP version 6, mod_sftp indicates support for the check-file extensions, but disconnects if the client requests the server to hash a larger file block by block. This prevents Bitvise SSH Client and FlowSsh from performing hash-based synchronization of file content, which would normally be used instead of Resume or Overwrite if check-file extensions can be used.
We expect these issues will be resolved in future mod_sftp versions. However, mod_sftp now comes configured by default to not send its version in the SSH version string. A client therefore cannot distinguish between a newer version that contains these fixes, and an older version which does not.
At this time, Bitvise SSH Client and FlowSsh will avoid the known compatibility issues by restricting SFTP protocol version to 3 when mod_sftp is detected. We would like to lift this restriction in the future if there arises a way to detect the mod_sftp version early enough.
We have identifed a compatibility issue with Van Dyke VShell:
- When using SFTP version 6, the VShell server indicates support for the check-file extensions, but does not support block-by-block hashing. This prevents Bitvise SSH Client and FlowSsh from performing hash-based synchronization of file content, which would normally be used instead of Resume or Overwrite if check-file extensions can be used.
- At this time, hash-based synchronization will be avoided when connecting to VShell, and Resume and Overwrite will be used instead.
- If VShell chooses to implement support for block-by-block hashing, Bitvise SSH Client and FlowSsh will once more use this functionality if the server advertises the extension name check-file-blocks in its supported2 packet.
Bitvise SSH Client and FlowSsh will now recognize the check-file extension indicator in the supported2 packet as required by the SFTP extensions draft, in addition to check-file-name and check-file-handle.
Bitvise SSH Client and FlowSsh will now recognize a check-file-blocks extension sent by servers. We suggest that future SFTP server implementations advertise support for check-file-blocks if all of the following are true:
- The server supports block-by-block file hashing.
- Any reasonable block size requested by the client is supported.
- A file can be hashed block-by-block starting from an arbitrary offset.
Changes in FlowSsh 7.34: [ 1 August 2017 ]
- This version fixes a memory leak introduced in version 7.31.
Changes in FlowSsh 7.31: [ 3 May 2017 ]
- This is not a new feature release, but a successor to 7.29 with continued maintenance updates. (We skip over versions containing zeros to avoid ambiguities. For example, 7.03 and 7.30 might both be referred to as "7.3".)
- Small changes in key places improve CPU efficiency on the order of 30% (impact may depend on the system). This improves transfer speeds where CPU is the bottleneck – or maintaining same performance, allows for a greater number of simultaneous connections. Users who were previously maxing out a single core and seeing transfer speeds of e.g. 150 MB/s, may now see e.g. 200 MB/s.
- Diffie-Hellman key exchange algorithms that use group exchange are once again deprioritized, regardless of which cryptographic provider is in use. This means other key exchange algorithms will again be preferred. In version 7.21, we stopped deprioritizing these algorithms because our Windows CNG cryptographic provider can handle dynamic DH group parameters generated by servers like OpenSSH. However, there remain older servers, such as SunSSH, which generate DH groups which are not acceptable to any of our cryptographic providers.
Changes in FlowSsh 7.29: [ 31 March 2017 ]
- Fixed a rarely occurring race condition which could cause FlowSsh to terminate the host application when closing an SFTP channel.
Changes in FlowSsh 7.24: [ 14 January 2017 ]
- Compatibility improvement for older versions of Cerberus FTP Server: when downloading a textual file using the file transfer mode Auto Std, FlowSsh will now close the file before reopening it in text mode. This is to avoid issues with servers that do not properly handle two open handles to the same file simultaneously.
Changes in FlowSsh 7.21: [ 31 December 2016 ]
- Cryptography:
- On Windows Vista, Windows Server 2008, and newer, our SSH Server, SSH Client, and FlowSsh now support server and client public key authentication using Ed25519, and ECDH key exchange using Curve25519. These algorithms are not available when Windows is running in FIPS mode.
- We have updated support for OpenSSH private keys, so that our software is now able to import and export them in their new format as introduced by OpenSSH in December 2013.
- Our SSH Server, SSH Client, and FlowSsh now support Diffie Hellman key exchange with 3072-bit and 4096-bit fixed groups, using SHA-512 as the exchange hash; and with the 2048-bit fixed group using SHA-256 as the exchange hash.
- On Windows Vista, Windows Server 2008, and newer, our SSH Client and FlowSsh no longer deprioritize key exchange methods that use DH group exchange. On Windows XP and Windows Server 2003, the group exchange methods are still deprioritized by default, because ephemeral DH groups generated by most SSH servers do not pass validation by the Crypto++ cryptographic module we use on these older platforms.
- The FlowSsh KeyExchangeAlgs parameter structure now supports configuration of minimal, maximal, and optimal group sizes when using Diffie Hellman group exchange.
- SSH:
- SSH protocol obfuscation, with optional obfuscation keyword, is now supported in the same way as in Bitvise SSH Server and Client. Obfuscation can be enabled via the new Client method, SetObfuscation.
- Port forwarding:
- Dynamic proxy forwarding is now supported using SOCKS4, SOCKS5, or the HTTP CONNECT method. It is enabled and disabled via the new Client methods EnableProxyForwarding and DisableProxyForwarding.
- Logging of port forwarded connections is now supported. To handle notifications of port forwarded connections, configure a ForwardingLogHandler using Client.OnForwardingLog.
- Listening sockets created by FlowSsh, such as for client-to-server port forwarding, now use a larger backlog value to reduce the likelihood of connections being refused.
Changes in FlowSsh 7.15: [ 4 September 2016 ]
- In version 7.14, the FlowSshC/Cpp/Net version was increased to 7.14, but the inner FlowSsh version was left at 7.12. Increased both versions to 7.15.
Changes in FlowSsh 7.14: [ 3 August 2016 ]
- SSH implementations have a chance of generating RSA signatures slightly smaller than expected with a small probability (e.g. 1:200). Windows CNG has been found to not validate such signatures as presented. With our software versions 7.12, this has resulted in occasional connection or login attempt failures. Our SSH Server, SSH Client, and FlowSsh now re-encode RSA signatures, so that smaller-than-expected ones can verify correctly.
- Windows CNG, as used by our new cryptographic provider in versions 7.xx, has been found to return an incorrect signature size for odd-sized RSA keys (e.g. for 1023-bit or 2047-bit keys). Most SSH implementations do not generate odd-sized RSA keys, but there are old versions of PuTTY which do (e.g. version 0.62). Our SSH Server, SSH Client, and FlowSsh now take steps to support generating and validating signatures using such keys.
- Certain implementations (e.g. OpenSSH version 7.2, but not 7.2p2) have been found to encode RSA signatures using the new signature methods rsa-sha2-256 and rsa-sha2-512 in a way that is not compatible with the specification of these methods. For compatibility, our SSH Server, SSH Client, and FlowSsh will now accept these alternate signature encodings.
- Our SSH Server, SSH Client, and FlowSsh now have improved Windows error reporting, distinguishing NTSTATUS error messages from those associated with HRESULT.
Changes in Bitvise FlowSsh 7.12: [ 25 June 2016 ]
- Cryptography:
- Important: DSA keys larger than 1024 bits are no longer supported. The implementation of these keys in Bitvise software pre-dated the NIST standard for large DSA keys, and was incompatible both with the NIST standard and other implementations that might use it. In general, support for the DSA algorithm is being deprecated by SSH implementations. For interoperability with older SSH installations, we continue to support 1024-bit DSA keys, but we recommend migrating either to 3072-bit RSA, or ECDSA.
- On Windows Vista, Windows Server 2008, and newer, our software now uses a new cryptographic provider, CiWinCng, which uses built-in Windows cryptography. This provider adheres to FIPS 140-2 requirements as long as FIPS mode is enabled in Windows security policy. In FIPS mode, ECDSA and ECDH are supported with curves nistp256, nistp384 and nistp521, but not with curve secp256k1 because this curve is not implemented in Windows. When FIPS mode is disabled in Windows, the curve secp256k1 remains available (implemented using Crypto++).
- On Windows XP and Windows Server 2003, our software continues to use our previous cryptographic provider, which uses the Crypto++ 5.3.0 DLL. This DLL was FIPS-certified, but its certificate has been moved to the historical list due to changed random number generator requirements since January 1, 2016.
- When using the new CiWinCng cryptographic provider - default on all recent Windows versions - the encryption/integrity algorithms aes256-gcm and aes128-gcm are now supported. Our implementation is interoperable with the OpenSSH implementation of these algorithms.
- New RSA signature algorithms rsa-sha2-256 and rsa-sha2-512 are now supported for host authentication.
- The EXT_INFO extension negotiation mechanism is now supported, allowing for the use of new RSA signature algorithms rsa-sha2-256 and rsa-sha2-512 for client authentication.
- SSH and SFTP:
- When connecting to an SSH server for which some host keys are already known (as full host keys - not fingerprints), the preference list of host key algorithms will now be reordered to favor algorithms for which host keys are known. Previously, if an SSH server added a new host key using an algorithm preferred by the client over an algorithm of a previous host key already trusted by the client, the new host key would have to be manually verified for the very next connection, or else the connection would fail.
- When the server supports file hashing in SFTP version 6, files that already exist on both sides will now be transferred with greater efficiency, and ensuring greater correctness, by comparing hashes of the portion of the file that already exists on both sides, and transferring only the parts determined to be different. This transfer mode overrides the normal Overwrite and Resume modes that are otherwise available with servers that do not support file hashing.
- General:
- Recent FlowSsh versions targeted the SSE2 instruction set, which caused them to not run on old computers lacking support for SSE2. Versions 7.xx now target the SSE instruction set, which allows for compatibility with old CPUs, at the cost of a small performance penalty - in our measurements, between 0 and 0.5%.
Changes in Bitvise FlowSsh 5.39: [ 5 April 2016 ]
- Fixed an issue which could cause FlowSsh, and the process in which it runs, to crash under rare conditions.
- Fixed a small memory leak which could become visible after long periods of use, e.g. after tens of thousands of SSH sessions under the same process.
Changes in Bitvise FlowSsh 5.38: [ 26 January 2016 ]
- Fixed a race condition that would cause process instability and abrupt termination on creation of an SFTP channel. The problem appears to have existed in all earlier FlowSsh versions, but became more visible in version 5.37. Due to the significance of the issue, this version continues to include an upgrade amnesty. Upgrade recommended.
Security Notification: [ 30 November 2015 ]
We have recently discovered a security issue in a common library used by Bitvise software. Given specific, but common conditions, this issue can be exploited by an unauthenticated remote attacker to cause instability and denial of service in affected software. We cannot exclude that this issue could be exploited to run arbitrary code.
The following versions of our software are affected:
- SSH Server 5.xx and 6.xx, up to and including version 6.43. Version 6.44 and newer do not contain this issue.
- SSH Client 6.xx, up to and including version 6.43. Versions 6.44 and newer do not contain this issue.
- FlowSshC/Cpp/Net versions up to and including 5.36. Versions 5.37 and newer do not contain this issue.
To help mitigate this issue, Bitvise SSH Server versions 6.44 and 6.45, and Bitvise SSH Client versions 6.44 and 6.45; and FlowSsh version 5.37; contain an upgrade amnesty, so that any existing license that is valid for any of the software versions affected by this issue can be used with the respective latest unaffected software version. This means that all users of Bitvise SSH Server and Client 5.xx and 6.xx can upgrade to version 6.45, and can activate it using their existing activation code. This also applies to FlowSsh users upgrading to version 5.37.
Users of Bitvise SSH Server and Client per-installation licenses can log in to access their existing activation codes.
Users of FlowSsh, and users of large-scale licenses, can upgrade using activation codes received in order delivery.
Changes in Bitvise FlowSsh 5.37: [ 10 November 2015 ]
- Contains an important update. Upgrade recommended for existing users.
Changes in Bitvise FlowSsh 5.36: [ 29 October 2015 ]
- If configured, the session inactivity timeout could take up to double the amount of time as configured. Detection of this timeout is now more accurate.
- The GSSAPI DH key exchange method with group exchange is now also de-prioritized when connecting to non-Bitvise servers, along with other methods that use group exchange. (Non-Bitvise servers tend to generate DH parameters that are incompatible with the FIPS cryptographic provider used by FlowSsh; this results in key exchange failures.)
- Robustness improvements affecting FlowSshCpp and FlowSshNet:
- Channel objects now maintain a reference to their parent Client object. Previously, a Client object could be destroyed with an active Channel if the user held the Client reference in a way that allowed the garbage collector to release it.
- Reworked reference counting in FlowSshCpp to improve robustness and eliminate crashes that could occur during stress testing on some platforms. Users of FlowSshCpp that use explicit reference counting (with raw pointers) should note that AddRef now must be called explicitly after instantiating an object (e.g. Client). Users who use RefPtr (recommended) should see their code continue to work as before.
Changes in Bitvise FlowSsh 5.35: [ 30 August 2015 ]
- Interaction with Bitvise SSH Client: FlowSshNet is now included with Bitvise SSH Client, which comes with .ps1 scripts demonstrating how to use FlowSshNet from PowerShell. The FlowSsh library - including the standalone version - can now be used under the Bitvise SSH Client license if Bitvise SSH Client is installed on the same computer. FlowSsh no longer displays an evaluation dialog on computers where Bitvise SSH Client is installed.
- Correctness: FlowSshNet previously used a handler architecture which could cause a Keypair object to be released by the .NET application before it was released by FlowSshC running in native code. This would cause FlowSshC to later make a call from a native fiber into .NET to release the Keypair object. This worked in .NET 2.0, but causes the application to crash in .NET 4.0. To address this, we have re-architected FlowSsh handlers, so that calls from a native fiber into .NET no longer occur.
- Ease of use: What was previously the Client class in FlowSshNet is now ClientBase. A new Client class now derives from ClientBase, and implements additional methods that can help a simple FlowSshNet application, such as a PowerShell script, from having to define event handlers entirely. This makes FlowSshNet easier to use for scripting, and allows it to be used from PowerShell, which does not support implementing event handlers with return values.
- SSH:
- SHA-256 public key fingerprints, compatible with the latest OpenSSH versions, are now supported.
- ECDH and ECDSA key exchange and host key algorithms are now supported in FlowSshCpp and FlowSshNet.
- The 1024-bit fixed prime Diffie Hellman key exchange method, diffie-hellman-group1-sha1, is now disabled by default, due to doubts about continuing security of Diffie Hellman with a 1024-bit fixed prime. Compatibility with most older servers should be retained via the diffie-hellman-group14-sha1 method, which uses a 2048-bit fixed prime. We recommend migrating older SSH servers to new versions supporting ECDH and ECDSA.
- Symmetric encryption algorithms that use CBC mode are now disabled by default. FlowSsh, as well as Bitvise SSH Client and Server, implement defenses against attacks on CBC mode, but other implementations that still use CBC mode are unlikely to implement such defenses. Most implementations should now support encryption in CTR mode.
- SFTP:
- OpenSSH servers contain a flaw where a noisy shell startup script, such as a .bashrc file, will cause garbage data to be passed to an SFTP client on the SFTP channel. Previously, this would prevent establishing an SFTP session. The client now ignores such invalid data, and looks for a particular byte signature to indicate the start of the server's first packet in the SFTP session.
- When transferring files in text mode using SFTP version 4 or higher, the ignored offset is now set to an invalid 64-bit value instead of zero. This prevents an unending transfer with servers that do not ignore the offset as required by the textual transfer mode (e.g. older versions of VShell).
- Fixed an issue which could cause the SFTP client to send more channel data after sending channel close.
Changes in Bitvise FlowSsh 5.34: [ 2 May 2015 ]
- When key exchange fails due to no match in algorithms, the local and remote algorithm lists are now reported.
- The final build of version 5.33 contained an issue which would cause the using application to freeze on exit.
Changes in Bitvise FlowSsh 5.33: [ 26 April 2015 ]
- When using SFTP protocol version 6, SSH_FXP_OPEN requests sent by previous FlowSsh versions would include the flag SSH_FXF_BLOCK_WRITE, in an attempt to prevent remote files from being modified while FlowSsh is accessing them. This resulted in servers that do not support this flag failing such open requests, preventing successful transfers. This flag is currently no longer sent as part of SSH_FXP_OPEN.
- The Client object now supports the method SetKexDoneHandler, allowing the application to register for notifications of completed key exchanges, and to receive data about negotiated key exchange, encryption, data integrity, and compression algorithms. It was previously not possible for the application to obtain information about algorithms actually negotiated by the library.
- The Client object now implements the method SetDebugFile, allowing an application developer to capture a debug record of the SSH session for purposes of testing and diagnosis. Use event mask 1024 (0x0400) for the most common event type desired (FlowDebug::MessageSent).
- Objects caching public key information kept internally by FlowSsh are now properly thread-safe. It was previously possible for concurrency issues to arise with applications that could call Client.Connect on multiple threads simultaneously.
Changes in Bitvise FlowSsh 5.27: [ 4 November 2014 ]
- The Keypair object now supports the method GetPuttyData, allowing for private keys to be exported in PuTTY format.
- The Keypair method CreateNew now supports ECDSA algorithms in addition to "ssh-rsa" and "ssh-dss". The following additional algorithm names are now supported: "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp521", "ecdsa-sha2-1.3.132.0.10".
- FlowSsh now supports ECDH-based key exchange algorithms, and ECDSA host authentication. Additional fields for these algorithms have been added to structures KeyExchangeAlgs and HostKeyAlgs.
- Data integrity protection algorithms that use MD5, or that produce a truncated 96-bit digest ("hmac-md5", "hmac-XXXX-96"), are now disabled by default, but can still be enabled explicitly by the application.
- The Client object now supports the method SetSocketProvider. By default, FlowSsh will use only a narrow selection of trusted Windows Layered Service Providers, which promotes stability, but comes at a possible expense of connectivity. Applications can now use this method to cause FlowSsh to use any LSP that may be installed, promoting connectivity, but at a possible expense of stability. Please note that non-default LSPs have been deprecated with Windows Server 2012, in favor of the Windows Filtering Platform.
Known issues
.NET Application Domains: In our current design, FlowSsh is incompatible with applications that use .NET Application Domains. The FlowSsh implementation makes heavy use of fibers, which .NET Application Domains do not support. This means FlowSsh is currently not a suitable choice for use in ASP.NET (within an IIS process).
- Windows XP: All versions of our software that we recommend using are built using Visual Studio 2015. The C++ run-time library used by this Visual Studio version has a known issue where 1-2 kB of memory are leaked each time a new thread is created. This issue does not occur on later Windows versions; it does not occur e.g. on Windows Server 2003. Microsoft has stated they do not intend to fix this issue. Bitvise's view is that the impacts on our SSH Client and FlowSsh are manageable; whereas our SSH Server is rarely used on Windows XP. We therefore do not plan to work around this; but we warn that this can be a potential denial of service vector on Windows XP.