WU-FTPD SITE NEWER Command Memory Exhaustion DoS

medium Nessus Plugin ID 10319

Synopsis

The remote FTP server has a denial of service vulnerability.

Description

The remote WU-FTPD server accepts the command 'SITE NEWER'.
Some WU-FTPD servers (and probably others) are vulnerable to a resource exhaustion where an attacker may invoke this command to use all the memory available on the server.

Solution

Make sure that you are running the latest version of your FTP server. If you are a WU-FTPD user, then make sure that you are using at least version 2.6.0.

*** This warning may be irrelevant.

See Also

https://seclists.org/bugtraq/1999/Oct/212

Plugin Details

Severity: Medium

ID: 10319

File Name: wu_ftpd_site_newer.nasl

Version: 1.45

Type: remote

Family: FTP

Published: 10/29/1999

Updated: 11/15/2018

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-1999-0880

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Required KB Items: ftp/login, ftp/wuftpd, Settings/ParanoidReport

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 10/19/1999

Reference Information

CVE: CVE-1999-0880

BID: 737