vsftpd vsf_filename_passes_filter Function Denial of Service

This script is Copyright (C) 2011-2014 Tenable Network Security, Inc.


Synopsis :

The remote FTP server is prone to a denial of service attack.

Description :

According to its self-reported version number, the instance of vsftpd
listening on the remote server is earlier than 2.3.3 and, as such, may
be affected by a denial of service vulnerability.

An error exists in the function 'vsf_filename_passes_filter()' in
'ls.c' that allows resource intensive glob expressions to be processed
with the 'STAT' command. Using numerous IP addresses to bypass an
FTP-sessions-per-IP-address limit, a remote attacker can carry out a
denial of service attack.

Note that Nessus did not actually test for the flaw but instead has
relied on the version in vsftpd's banner.

See also :

http://downloads.securityfocus.com/vulnerabilities/exploits/46617.c
ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.3.3/Changelog
http://seclists.org/bugtraq/2011/Mar/9

Solution :

Update to vsftpd 2.3.4 or later. [While version 2.3.3 actually
addresses this issue, 2.3.4 was released the same day to address a
problem compiling the earlier version.]

Risk factor :

Medium / CVSS Base Score : 4.0
(CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P)
CVSS Temporal Score : 3.3
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: FTP

Nessus Plugin ID: 52704 ()

Bugtraq ID: 46617

CVE ID: CVE-2011-0762