Aspera Security Vulnerability

On April 24th, IBM announced what they are calling a Buffer Overflowvulnerability in the aspshell executable of Aspera. This vulnerability effects all versions of the High-Speed Transfer Server prior to version 3.9.6.1, all versions of the High-Speed Endpoint prior to version 3.9.6.1, and all versions of the Aspera Proxy prior to version 1.4.4.1.

If you are running any affected versions of Aspera, you should immediately upgrade or apply the vulnerability patch.

To Install the Patch on Linux

Download the patch from here.

Simply copy/replace the new aspshell file over the existing aspshell at /opt/aspera/bin

cp /path/to/downloaded/aspshell /opt/aspera/bin
chmod 0755 /opt/aspera/bin/aspshell
chown root:root /opt/aspera/bin/aspshell

Validate the checksum on the new aspshell binary

sha256sum /opt/aspera/bin/aspshell 

Ensure the checksum results in: 
cf9b6de9f6e5eff03dae1beb86aa5a53b038b014d2304b1a6f2dd293342f9d9f

To Install the Patch on Windows

Download the patch from here.

Simply copy/replace the new aspshell file over the existing aspshell.

For the High-Speed Transfer Server, aspshell is located at: “%PROGRAMFILES%\Aspera\Enterprise Server\bin\”

For the High-Speed Transfer Endpoint, aspshell is located at: “%PROGRAMFILES%\Aspera\Point-to-Point\bin\aspshell C:\ProgramData\”

copy  path_to_downloaded_aspshell “%PROGRAMFILES%\Aspera\Enterprise Server\bin\”

Validate the checksum on the new aspshell binary

certutil -hashfile path_to_downloaded_aspshell.exe SHA256

Ensure the checksum results in: 
4f1e68895bb10b936d574557f8dab888f1201e5e5d859aec9789d07f2ccc8da9

More Information

For more information, see the Security Bulletin on IBM’s website