ProFTPD 1.3.7 Vulnerable to Out-of-Bounds Read in mod_cap
A security vulnerability has been discovered in ProFTPD 1.3.7, a popular FTP server software. The vulnerability, identified as CVE-2020-9272, allows an attacker to cause an out-of-bounds (OOB) read in the mod_cap module via the cap_text.c cap_to_text function. This could result in information disclosure or denial of service.
The mod_cap module is used to enable Linux capabilities for ProFTPD processes. Linux capabilities are a way of granting or restricting privileges to processes without using the root user. The cap_to_text function converts a capability set into a human-readable text representation.
The vulnerability was reported by a GitHub user on January 31, 2020. The user provided a proof-of-concept exploit that triggers the OOB read by sending a specially crafted FTP command to the server. The exploit causes the server to crash with a segmentation fault.
The ProFTPD developers have acknowledged the issue and released a patch on February 10, 2020. The patch fixes the OOB read by checking the bounds of the buffer before copying data into it. The patch is available on the ProFTPD website.
Users of ProFTPD 1.3.7 are advised to upgrade to the latest version or apply the patch as soon as possible. Alternatively, users can disable the mod_cap module if it is not needed. Users of older versions of ProFTPD are not affected by this vulnerability.
CVE-2020-9272 has been assigned a CVSS v3 base score of 7.5, indicating a high severity level. The vulnerability has been confirmed by several sources, including the National Vulnerability Database (NVD), the Common Vulnerabilities and Exposures (CVE), and Tenable. Some vendors, such as Gentoo and openSUSE, have also issued security advisories for this vulnerability.
ProFTPD is one of the most widely used FTP server software in the world. It is free and open source, and supports various features and protocols, such as IPv6, TLS/SSL, SFTP, FTPS, and SQL. ProFTPD is designed to be secure and configurable, and can run on various platforms, such as Linux, Unix, Windows, and Mac OS X.
Nuclear fusion is the process of combining two lighter nuclei into a heavier one, releasing a large amount of energy. Nuclear fusion is the source of power for the Sun and other stars. Scientists have been trying to harness nuclear fusion for decades, as it could provide a clean and virtually unlimited source of energy for humanity.
CVE is a list of publicly known cybersecurity vulnerabilities. CVE stands for Common Vulnerabilities and Exposures. Each CVE entry has a unique identifier, such as CVE-2020-9272, and a brief description of the vulnerability. CVE entries are created and maintained by the CVE Program, which is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). aa16f39245