CVE-2019-12815 : divulgation d'une vulnérabilité de contrôle d'accès inapproprié dans ProFTPD
Popular open source FTP daemon affected by an improper access control vulnerability dating back to 2010
Contexte
On July 18, Tobias Mädel published an advisory for an improper access control vulnerability in a default module for ProFTPD, a popular open source FTP daemon for Unix and Unix-like operating systems.
Analyse
CVE-2019-12815 is an arbitrary file copy vulnerability in ProFTPD’s mod_copy module due to improper access control. According to the ProFTPD bug report for this vulnerability, mod_copy does not honor the “<Limit READ>” and “<Limit WRITE>” configuration settings in proftpd.conf, thereby allowing a remote attacker without write permissions to “copy any file on the FTP server” using CPFR and CPTO commands. This is possible under the following scenarios:
- The Anonymous user configuration is enabled on the vulnerable ProFTPD installation
- An attacker has working FTP credentials regardless of restrictions placed on the account
The former scenario is significant because it could allow a remote attacker to upload malicious files to a vulnerable server. Tenable has confirmed that anonymous user access is disabled by default when using Advanced Package Tool (APT) or Yellowdog Updater, Modified (YUM) package managers to install proftpd. However, anonymous user access is enabled by default from a source install from proftpd.org.
The vulnerability affects ProFTPD beginning with version 1.3.4. This is because the mod_copy module was not included as part of the default installation of ProFTPD until version 1.3.4, which was released in 2010.
In a July 23 update to his original advisory, Mädel states “Contrary to news reports, ProFTPd 1.3.6 is also affected and does not contain the fix. There is no patched release version available yet.”
Using an internet-connected search engine, like BinaryEdge, we believe that number is close to over 539,000 potentially exposed based on the affected versions greater than 1.3.4 up to and including 1.3.6. This search does not account for whether or not these systems have anonymous user access enabled.
According to Mädel’s disclosure timeline, he reported the vulnerability to ProFTPD’s security email alias on September 28, 2018, and subsequently reported it to the Debian Security Team on June 12, 2019. Mädel provided a deadline of July 28, 2019, for public disclosure. ProFTPD released a fix to address the vulnerability on July 17, 2019.
A similar vulnerability in mod_copy, CVE-2015-3306, was disclosed in 2015, though it could be exploited by an unauthenticated attacker, making it far more severe than CVE-2019-12815.
Démonstration de faisabilité (PoC)
No Proof-of-Concept code or exploit scripts were available at the time this blog was written. However, the vulnerability details are available in the ProFTPD bug report and simply require an attacker to be able to issue CPFR and CPTO commands either as an anonymous user (if enabled) or post-authentication.
Solution
According to the ProFTPD bug report, the fix for this vulnerability was merged in on July 17, 2019, and backported to the 1.3.6 branch. Various security trackers for Debian, Ubuntu and other Linux or Unix distributions show they remain unpatched and vulnerable. SUSE is not affected by this vulnerability. However, Mädel’s July 23 update to his advisory states that the vulnerability was not fixed in 1.3.6.
Until the patch is released and available downstream, users can disable mod_copy in the ProFTPD configuration file as a workaround.
Identification des systèmes affectés
A list of Tenable plugins to identify this vulnerability will appear here as they’re released. Additionally, there are Tenable plugins to identify when Anonymous FTP access is enabled.
Où trouver plus d'informations
- Tobias Mädel's Advisory for CVE-2019-12815
- ProFTPD Bug Tracker: CVE-2019-12815
- ProFTPD Bug Tracker: CVE-2015-3306
Rejoignez l'équipe SRT de Tenable sur Tenable Community.
Apprenez-en plus sur Tenable, la première plateforme de Cyber Exposure qui vous permet de gérer votre surface d'attaque moderne de manière globale.
Get a free 60-day trial of Tenable.io.
Articles connexes
How to Discover, Analyze and Respond to Threats Faster with Generative AI
June 17, 2024Generative AI (GenAI) is being hailed as the most transformative innovation since the rise of the internet. For security, GenAI can revolutionize the field if applied correctly, especially when it comes to threat detection and response. It enhances efficiency and productivity by swiftly processing and delivering critical information when it matters most.
These Services Shall Not Pass: Abusing Service Tags to Bypass Azure Firewall Rules (Customer Action Required)
June 3, 2024Azure customers whose firewall rules rely on Azure Service Tags, pay attention: You could be at risk due to a vulnerability detected by Tenable Research. Here’s what you need to know to determine if you’re affected, and if so, what you should do right away to protect your Azure environment from attackers.
Cybersecurity Snapshot: EPA Urges Water Plants To Boost Cybersecurity, as OpenSSF Launches Threat Intel Platform for Open Source Software
May 24, 2024Check out the EPA’s call for water plants to beef up their cyber defenses. Plus, open source developers have a new platform to share threat intelligence. Moreover, business email compromise attacks prompt alert from U.K.’s cyber agency. And CISA tackles DNS encryption best practices. And much more!
Cybersecurity Snapshot: CISA Tells Tech Vendors To Squash Command Injection Bugs, as OpenSSF Calls on Developers To Boost Security Skills
July 12, 2024Check out CISA’s call for weeding out preventable OS command injection vulnerabilities. Plus, the Linux Foundation and OpenSSF spotlight the lack of cybersecurity expertise among SW developers. Meanwhile, GenAI deployments have tech leaders worried about data privacy and data security. And get the latest on FedRAMP, APT40 and AI-powered misinformation!
How Risk-based Vulnerability Management Boosts Your Modern IT Environment's Security Posture
July 11, 2024Vulnerability assessments and vulnerability management sound similar – but they’re not. As a new Enterprise Strategy Group white paper explains, it’s key to understand their differences and to shift from ad-hoc vulnerability assessments to continuous, risk-based vulnerability management (RBVM). Read on to check out highlights from this Tenable-commissioned study and learn how RBVM helps organizations attain a solid security and risk posture in hybrid, complex and multi-cloud environments.
Microsoft’s July 2024 Patch Tuesday Addresses 138 CVEs (CVE-2024-38080, CVE-2024-38112)
July 9, 2024Microsoft addresses 138 CVEs in its July 2024 Patch Tuesday release, with five critical vulnerabilities and three zero-day vulnerabilities, two of which were exploited in the wild.
- Threat Intelligence
- Threat Management
- Vulnerability Management
- Vulnerability Scanning