Allele Security Alert
ASA-2019-00590
Identifier(s)
ASA-2019-00590, CVE-2019-18217
Title
Pre-authentication remote denial-of-service
Vendor(s)
The ProFTPD Project
Product(s)
ProFTPD
Affected version(s)
ProFTPD version 1.3.7rc before 1.3.7rc2
ProFTPD version 1.3.6 before 1.3.6b
Fixed version(s)
ProFTPD version 1.3.7rc2
ProFTPD version 1.3.6b
Proof of concept
Unknown
Description
An unauthenticated attacker can trigger an infinite loop by sending a malformed network packet due to an incorrect handling of too long commands. The issue in the network IO causes a child process that handles the client connection to consume 100% CPU.
Technical details
If errno is 7 (E2BIG) due to a too long command and the EOF is reached, read() function will always return 0 and will be called indefinitely due to the continue statement:
src/main.c:
...
if (cmd_buflen < 0) {
if (errno == E2BIG) {
/* The client sent a too-long command which was ignored; give
* them another chance?
*/
continue;
}
...
Credits
Stephan Zeisberg
Reference(s)
Remote denial-of-service due to issue in network IO handling
https://github.com/proftpd/proftpd/issues/846
Issue #846: Handle the case where a client tries to send too-large commands
https://github.com/proftpd/proftpd/commit/13fe9462787b9a551152162f46f1641d65fe4df4
Issue #846: Handle the case where a client tries to send too-large commands
https://github.com/proftpd/proftpd/commit/518dc1a6e486291fa4f13d2caff0a8aec52d093e
NEWS
https://github.com/proftpd/proftpd/blob/v1.3.7rc2/NEWS
RELEASE_NOTES
https://github.com/proftpd/proftpd/blob/v1.3.7rc2/RELEASE_NOTES
RELEASE_NOTES-1.3.6b
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.6b
NEWS-1.3.6b
http://www.proftpd.org/docs/NEWS-1.3.6b
CVE-2019-18217
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18217
CVE-2019-18217
https://nvd.nist.gov/vuln/detail/CVE-2019-18217
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 22, 2019