Multiple Vendor Embedded FTP Service Any Username Authentication Bypass

medium Nessus Plugin ID 10990
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

A random username and password can be used to authenticate to the remote FTP server.

Description

The FTP server running on the remote host can be accessed using a random username and password. Nessus has enabled some countermeasures to prevent other plugins from reporting vulnerabilities incorrectly because of this.

Solution

Correct the FTP server's configuration so that the service handles authentication requests properly.

Plugin Details

Severity: Medium

ID: 10990

File Name: DDI_FTP_Any_User_Login.nasl

Version: 1.31

Type: remote

Family: FTP

Published: 6/5/2002

Updated: 8/9/2018

Dependencies: ftpserver_detect_type_nd_version.nasl

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

Excluded KB Items: global_settings/supplied_logins_only

Vulnerability Publication Date: 1/1/2002