 Mads
		
			Mads
		
		
		
		
		
		
		
		
	
			05-11-2017 02:32 AM
A customer of ours did a security check on a cFP-2220 from us and came back with a request for an update to fix the ftp server's vulnerability for bonce attacks (https://nvd.nist.gov/vuln/detail/CVE-1999-0017)...Is there any such security update available for the VxWorks-version running on the cFP-2220 that we could apply?
Preferably they would like to switch from ftp and http to ftps and https (they are worried about clickjacking etc). I guess that's not an option with the cFP-2220, they would need to change their hardware to one of the Linux RT-based controllers, right?
 Matthew_William
		
			Matthew_William05-11-2017 07:41 AM
Hi Mads. I don't know whether there are updates to address that issue, but what version are you using?
Will the Access Control settings that are available address their concerns? We have seen improvements in general reliability using the Access Control restrictions with devices connected to relatively open networks.
Matt
05-12-2017 02:05 PM
Hi Mads,
I don't have a cFP-2220 with me, so I'm not certain if this will work with it. Everything looks possible in theory.
In general, industry has moved away from FTP because it is not secure. There are instructions on how to disable it on VxWorks: Disable Real-Time FTP Server. There is another file access method, WebDAV, that is available on VxWorks. More info on WebDAV and use instructions are here.
05-15-2017 08:08 AM
Deactivated FTP (expected it to be a configuration, but ended up just renaming the ftpout-file...). Installed WebDAV and SSL, user account in place...But the reply on WebDAV is just a 405 Method not allowed.