Topic: ProFTPD ASCII File Remote Compromise Vulnerability

[Nathan Fowler]

This is something you need to be aware of, since versions of SME/E-Smith use proftpd.

http://www.securiteam.com/unixfocus/5LP0M15B5O.html

[SAVIN Jérome]

Any howto to patch our boxes ?
Updates blades ?

Bye.

Tuxoo

[Nathan Fowler]

I don't imagine you'll be able to use the RedHat errata packages because I believe RH uses WU-FTPD, not proftpd.

Your choices are:
1) Recompile from source using the current proftpd version, or patch an older version

2) Disable FTP completely, uninstall the RPM, and just use SCP/SFTP via SSH.

3) Cross your fingers and hope that SME will release an update in a timely fashion.  Hope you're not mandated to upgrade due to lack of support for "legacy" versions with an average product life-cycle of less than 4 to 5 months.  Example being the OpenSSH errata packages only being provided for 5.6 and 6.0Beta with  5.5, 5.1.2, 4.1.2, and older version are still vulnerable.

[Nathan Fowler]

Oh, and to beat Charlie to the punch, "if you were a paying customer, things would be different".

[SAVIN Jérome]

You're right, as I am a paying customer, I'm going to ask them the right way.

Just for info, I have seen rpm package proftpd-1.2.9rc2-2.i386.rpm on ftp.proftpd.org/distrib/packages/RPMS maybe we have only to upgarde this package.

Someone wants to try ?

Thanks.

Bye.

Tuxoo.

[SAVIN Jérome]

You're right, as I am a paying customer, I'm going to ask them the right way.

Just for info, I have seen rpm package proftpd-1.2.9rc2-2.i386.rpm on ftp.proftpd.org/distrib/packages/RPMS maybe we have only to upgarde this package.

Someone wants to try ?

Thanks.

Bye.

Tuxoo.

[Dan Brown]

I imagine Charlie's punch would be more like "security issues should be reported to smesecurity@mitel.com", but that's just a guess...

[Jon Blakely]

Why can't people read before they send information like this.

From the notification

Impact:
An attacker capable of uploading files to the vulnerable system can trigger a buffer overflow and execute arbitrary code to gain complete control of the system. Attackers may use this vulnerability to destroy, steal, or manipulate data on vulnerable FTP sites.

Workaround:
Successful exploitation is not possible if attackers cannot upload files to a vulnerable FTP server. Where possible it is advisable to disable the ability for users to perform FTP uploads, either with file permissions or using ProFTPD configuration parameters:

SME by default denies FTP upload (unless you have modified the template to allow it) from outside the LAN.
Also SME 5.6 and earlier do not use proftpd versions that are included in the list.

Jon

[Nathan Fowler]

Jon, you're sadly mistaken.  Previous versions, while not tested, are also listed as being vulnerable.

Additionally, any user capable of uploading files can exploit this vulnerability with possible root access.  Examples would include a user who has a virtual domain on that server with FTP access to maintain the site could compromise the system.

You may trust your user base, others do not.

[Dan York]

Note that we have now posted an advisory about this issue on the home page.

http://www.e-smith.org/article.php3&mode=threaded&order=0