A security vulnerability has been identified in UFTP affecting all versions from 4.0 to 4.10.1
When encryption is enabled and SHA-384 or SHA-512 is selected as the hashing algorithm, a bug in the key derivation functions results in the encryption key being set to all bytes 0. This vulnerability can be addressed by selecting SHA-256 as the hashing algorithm.
Version 5.0 is currently under development which will include a new key derivation system based on TLS 1.3 and removal of algorithms known to be insecure.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
A security vulnerability has been identified in UFTP affecting all versions from 4.0 to 4.10.1
When encryption is enabled and SHA-384 or SHA-512 is selected as the hashing algorithm, a bug in the key derivation functions results in the encryption key being set to all bytes 0. This vulnerability can be addressed by selecting SHA-256 as the hashing algorithm.
Version 5.0 is currently under development which will include a new key derivation system based on TLS 1.3 and removal of algorithms known to be insecure.