CVE-2023-51713: A DoS Flaw Affects ProFTPD

A vulnerability was found in one of the most popular FTP server applications, ProFTPD, an FTP server application trusted by over a million servers globally. Renowned for its wide use in prominent platforms like SourceForge, Samba, and Slackware, this open-source software is a cornerstone in many Linux and Unix distributions.

CVE-2023-51713

The Discovery: CVE-2023-51713

Unearthed by security researcher Martin Mirchev, CVE-2023-51713 exposes a dangerous out-of-bounds buffer read issue in ProFTPD’s make_ftp_cmd function. This flaw, lurking in versions before 1.3.8a, risks crashing the daemon, a consequence of mishandled quote and backslash semantics.

Also, the researcher created a docker image for triggering this flaw:

Steps for reproduction:

  • Docker loads the tar.gz (docker load < file.tar.gz )
  • Create an instance of the container
  • In one terminal in the directory /home/ubuntu/experiments/proftpd , run ./proftpd -n -c /home/ubuntu/replayable-crashes-proftpd/basic.conf -X
  • In another terminal in the directory /home/ubuntu/replayable-crashes-proftpd run aflnet-replay input FTP 21 1
  • ProFTPD should crash in the first terminal

The Delayed Response

Despite Mirchev’s prompt reporting to ProFTPD maintainers in June, the issue remained unaddressed for over three months. It wasn’t until September that team member Castaglia merged a crucial pull request, patching this vulnerability in the 1.3.8 branch.

Another Flaw: CVE-2023-48795

In a twist, ProFTPD’s latest version 1.3.8b also rectifies another vulnerability, CVE-2023-48795. This issue, affecting mod_sftp, involves “Terrapin” Prefix Truncation Attacks in the SSH specification, further highlighting the software’s security challenges.

The Urgent Call for Action

Users and administrators of ProFTPD are urged to upgrade immediately to the latest versions, safeguarding their systems from these potentially devastating exploits.