ProFTPD: Attackers can extend rights
Attackers can abuse a security vulnerability in ProFTPD to extend their rights in the system. Source code updates are available.
(Image: Erstellt mit KI in Bing Designer durch heise online / dmk)
A security vulnerability in the popular FTP server ProFTPD can be abused by attackers to extend their rights in vulnerable systems. The developers have provided a source code patch that corrects the error.
The vulnerability description in the CVE entry CVE-2024-48651 states that mod_sql does not provide so-called supplemental groups. As a result, users inherit the supplemental group with the GID 0. This has been reported by users in the Debian bug tracker and discussed in the ProFTPD Github repository –. As a result of the vulnerability, root access was possible when ProFTPD is used together with mod_sql. Affected is ProFTPD 1.3.8b before commit cec01cc. In ProFTPD 1.3.5, however, users in the same situation inherit Supplemental Group nogroup, which implies only minimal security risks. The CERT-Bund of the BSI classifies the vulnerability as a high risk with a CVSS value of 8.8.
Update packages
Anyone using the ProFTPD service should therefore keep an eye out for updated packages. The ProFTPD website – actually only supports http – still refers to version 1.3.9rc2 from December 2023. However, the source code in the Github repository received a patch two weeks ago that fixes the vulnerability.
Videos by heise
Most web browsers no longer support FTP, which significantly reduces its visibility. However, a search in the Shodan database reveals that it is still very widespread.
(Image:Â sh0dan)
More than 800,000 servers worldwide use ProFTPD, most of which are located in Germany – currently around 158,500. In the USA, Shodan finds 145,000 servers, followed by France with around 75,000 instances. It is unclear how many of these are actually vulnerable to the high-risk vulnerability. However, IT managers with ProFTPD instances should check whether there has been an updated package for their distribution in the last two weeks or, if necessary, recompile the server from current sources.
Such data transfer solutions are rarely visible, but are used very frequently. They are worthwhile targets for criminals. Last year, for example, the Cl0p cyber gang abused security vulnerabilities in MOVEit Transfer to steal sensitive data from companies and organizations and blackmail them.
(dmk)
