A popular and widely used server software package called ProFTPd has been found to have a vulnerability. This software runs on many different types of servers, including Windows, UNIX, and Linux; and provides File Transfer Protocol (FTP) services.
This vulnerability can allow an attacker to destroy files, and to run malware and other unwanted software on a server running ProFTPd.
Workarounds and updated code for the ProFTPD package are available.
What can you do?
Your system administrator/service provider should:
– Check all servers that provide FTP services to find out if they are running ProFTPd
o Note that these servers may be on-premises or in the Cloud
– Upgrade to the latest compiled version of ProFTPd
– Disable the module that causes the vulnerability if it is not required
Your administrator/service provider should also – as a best practice – disable anonymous FTP connections if they are not required for the server’s business purpose. While this action only partially protects against this specific attack, removing the anonymous connection ability does help protect against many other known attacks against FTP servers in general.
Technical detail and additional information
What is the threat?
A major vulnerability has been detected within the popular File Transfer Protocol (FTP) server software ProFTPd. The vulnerability exists in the mod_copy module of the ProFTPd application, which is the component that allows users to copy files/directories from one place to another on a server without having to transfer data to the client and back. All ProFTPd versions up to and including 1.3.6 are impacted by this vulnerability in the mod_copy module that allows an authenticated user to copy files to a new file name even if they do not normally have write permission. The vulnerability exists even in updated versions if the application was compiled from source code released prior to 7/17/2019. This is caused by a bug in the SITE CPFR and SITE CPTO commands that ignores “Limit WRITE” deny-all directives, which allows a user to copy a file to a current folder even if they do not have permission. This form of attack is also possible without authentication if the FTP service is configured to permit anonymous connections.
Why is this noteworthy?
ProFTPd is one of the most popular FTP servers supporting most UNIX- like systems and Windows. This includes Linux variants derived from UNIX systems including Debian and Ubuntu. It is used by over one million servers worldwide, including many well-recognized businesses. The mod_copy component within ProFTPd comes enabled by default in most operating systems, meaning a large portion of servers may be running the module without realizing it. Also, if anonymous user configuration is enabled on the vulnerable ProFTPd installation, this means attackers will have permission to upload any malicious files onto the FTP server without having to compromise credentials first.
What is the exposure or risk?
This vulnerability could lead to remote code execution or even information disclosure attacks. To achieve this execution, an attacker needs to copy a malicious PHP file to a location where it can be executed. This could be done, for example, by distributing the file as an unrelated project which is also mirrored on the targeted server. The attacker uses the CPFR and CPTO commands to copy the file containing PHP to a file with the PHP extension.
Even if remote code execution is not the goal of the attack, a threat actor can overwrite existing files, causing the destruction of data held on the FTP server.
What are the recommendations?
· Administrators can disable the mod_copy module in the ProFTPd configuration file to protect themselves from any future attacks from this flaw.
· Users who installed the software from proftpd.org should make sure they disable anonymous user access in the ProFTPd configuration file to protect themselves from any future attacks from this flaw, and many other known vulnerabilities in anonymous FTP in general.
· Affected users should upgrade ProFTPd to the latest version as soon as possible if they have installed any versions of the software compiled from source code released before 07/17/2019. This includes installations of 1.3.6 which were updated (not recompiled) from earlier versions.
For more in-depth information about the recommendations, please visit the following link:
If you have any questions, please contact our Security Operations Center.