CVE-2019-12815: Improper Access Control Vulnerability in ProFTPD Disclosed

Satnam Narang

Popular open source FTP daemon affected by an improper access control vulnerability dating back to 2010

Background

On July 18, Tobias Mädel published an advisory for an improper access control vulnerability in a default module for ProFTPD, a popular open source FTP daemon for Unix and Unix-like operating systems.

Analysis

CVE-2019-12815 is an arbitrary file copy vulnerability in ProFTPD’s mod_copy module due to improper access control. According to the ProFTPD bug report for this vulnerability, mod_copy does not honor the “<Limit READ>” and “<Limit WRITE>” configuration settings in proftpd.conf, thereby allowing a remote attacker without write permissions to “copy any file on the FTP server” using CPFR and CPTO commands. This is possible under the following scenarios:

  • The Anonymous user configuration is enabled on the vulnerable ProFTPD installation
  • An attacker has working FTP credentials regardless of restrictions placed on the account

The former scenario is significant because it could allow a remote attacker to upload malicious files to a vulnerable server. Tenable has confirmed that anonymous user access is disabled by default when using Advanced Package Tool (APT) or Yellowdog Updater, Modified (YUM) package managers to install proftpd. However, anonymous user access is enabled by default from a source install from proftpd.org.

CVE-2019-12815: Improper Access Control Vulnerability in ProFTPD Disclosed

The vulnerability affects ProFTPD beginning with version 1.3.4. This is because the mod_copy module was not included as part of the default installation of ProFTPD until version 1.3.4, which was released in 2010.

CVE-2019-12815: Improper Access Control Vulnerability in ProFTPD Disclosed

In a July 23 update to his original advisory, Mädel states “Contrary to news reports, ProFTPd 1.3.6 is also affected and does not contain the fix. There is no patched release version available yet.”

Using an internet-connected search engine, like BinaryEdge, we believe that number is close to over 539,000 potentially exposed based on the affected versions greater than 1.3.4 up to and including 1.3.6. This search does not account for whether or not these systems have anonymous user access enabled.

CVE-2019-12815: Improper Access Control Vulnerability in ProFTPD Disclosed

According to Mädel’s disclosure timeline, he reported the vulnerability to ProFTPD’s security email alias on September 28, 2018, and subsequently reported it to the Debian Security Team on June 12, 2019. Mädel provided a deadline of July 28, 2019, for public disclosure. ProFTPD released a fix to address the vulnerability on July 17, 2019.

A similar vulnerability in mod_copy, CVE-2015-3306, was disclosed in 2015, though it could be exploited by an unauthenticated attacker, making it far more severe than CVE-2019-12815.

Proof of concept

No Proof-of-Concept code or exploit scripts were available at the time this blog was written. However, the vulnerability details are available in the ProFTPD bug report and simply require an attacker to be able to issue CPFR and CPTO commands either as an anonymous user (if enabled) or post-authentication.

Solution

According to the ProFTPD bug report, the fix for this vulnerability was merged in on July 17, 2019, and backported to the 1.3.6 branch. Various security trackers for Debian, Ubuntu and other Linux or Unix distributions show they remain unpatched and vulnerable. SUSE is not affected by this vulnerability. However, Mädel’s July 23 update to his advisory states that the vulnerability was not fixed in 1.3.6.

Until the patch is released and available downstream, users can disable mod_copy in the ProFTPD configuration file as a workaround.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released. Additionally, there are Tenable plugins to identify when Anonymous FTP access is enabled.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io.

Read more >

Published on Jul 23, 2019

People also viewed

Business Cost Analyst - Cloud Infrastructure

San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Engineering Engineering
Your Role:Tenable is seeking a Business Cost Analyst of Cloud Infrastructure with strong MS Excel experience to assess, analyze and compile current costs and potentially determine initiatives to reduce and improve our cloud infrastructure cost for...

Professional Services Engagement Manager

Singapore Singapore Singapore North Bridge Road, Parkview Square, Singapore, 188788 Professional Services Professional Services
Your Role:The Professional Services Engagement Manager assists in the professional services business development and oversees the delivery of projects. The Professional Services Engagement Manager’s roles include tactical project management oversi...

UX Designer

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Engineering Engineering
Your Role:Tenable is looking for an extraordinary Senior UX Designer to join our team. Our group is chartered with creating the next generation of security products while at the same time pioneering unprecedented user experience in the digital sec...

Commercial Territory Manager - West

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Sales Sales
Your Role:The Commercial Territory Manager will meet and exceed quarterly sales quota by developing new opportunities within specific geographical territory.  Researching and identifying potential accounts; outbound cold calling to soliciting new ...

Senior Software Engineer (Java & Kotlin)

San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Engineering Engineering
Your Role:Tenable is looking for a Senior Software Engineer to join the Lumin product development team. As a Sr. Software Engineer you will drive projects end-to-end, collaborate on product requirements with Product Managers, architect and impleme...

Public Sector Channel Manager - Distribution

Reston Virginia United States Reston, Virginia, United States Channel Sales Sales
Your Role:The Public Sector Channel Manager-Distribution is responsible for establishing and managing relationships with the Distribution Partner(s).  The CM-Disty will act as a sales liaison between distributor and Tenable Channel Manager personn...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.