File Director – Mitigation against a redress attack

Version 2

    Verified Product Versions

    File Director 3.6File Director 3.5File Director 3.0File Director 2.0File Director 4.0File Director 4.1File Director 4.2File Director 4.3File Director 4.4File Director 4.5File Director 2018.1

    Introduction

    This knowledge article contains information about how to mitigate against a redress attack when using Ivanti File Director.


    Detail

    File Director version 2018.1 and earlier do not respond with an X-Frame-Options header and therefore the web interfaces can be embedded into an iFrame, which could theoretically be used to trick a user into entering credentials into an alternative web site. This issue will be remediated in File Director 2018.3, but there are two simple mitigation techniques that can be employed by concerned customers with current and previous releases:

     

    1. The web interfaces for administrators and end users run on separate ports on the File Director appliance. By default, the administrator interface is on port 8443, and the end user interface is on port 443. Either or both can be protected by firewall rules so that they are not exposed to the Internet.
    2. The end user web interface can be disabled using options in the console (see below). Note that the majority of customers use the Windows, macOS, iOS and Android clients and do not use the web interfaces, and so it can be disabled with no loss of functionality.

     

    Please contact our Ivanti Security team on [email protected] if you have further questions or concerns.