The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of ProFTPD: denial of service via mod_sftp_pam

Synthesis of the vulnerability 

When mod_sftp_pam is enabled on ProFTPD, with a keyboard-interactive authentication, an attacker can send a special SSH packet, to force ProFTPD to allocate a large memory area, in order to trigger a denial of service.
Vulnerable systems: Debian, Fedora, openSUSE, ProFTPD.
Severity of this threat: 2/4.
Creation date: 11/09/2013.
Références of this weakness: BID-62328, CERTA-2013-AVI-549, CVE-2013-4359, DSA-2767-1, DSA-27671-1, FEDORA-2013-16798, FEDORA-2013-16810, MDVSA-2013:245, openSUSE-SU-2013:1563-1, openSUSE-SU-2015:1031-1, VIGILANCE-VUL-13412.

Description of the vulnerability 

The mod_sftp module of ProFTPD implements the SFTP sub-system of the SSHv2 protocol. Files are thus transfered inside a SSH session.

The SFTPAuthMethods parameter indicates the supported authentication methods:
 - publickey
 - password
 - keyboard-interactive
 - etc.
The "keyboard-interactive" method uses the mod_sftp_pam module, and allows several message exchanges during the authentication phase.

The contrib/mod_sftp/kbdint.c file of ProFTPD implements the "keyboard-interactive" method. The number of exchanges is stored in the "resp_count" variable. However, ProFTPD does not check if this value is large, before allocating the requested memory areas.

When mod_sftp_pam is enabled on ProFTPD, with a keyboard-interactive authentication, an attacker can therefore send a special SSH packet, to force ProFTPD to allocate a large memory area, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security bulletin impacts software or systems such as Debian, Fedora, openSUSE, ProFTPD.

Our Vigil@nce team determined that the severity of this cybersecurity announce is medium.

The trust level is of type confirmed by the editor, with an origin of intranet client.

An attacker with a expert ability can exploit this vulnerability alert.

Solutions for this threat 

ProFTPD: version 1.3.4e.
The version 1.3.4e is fixed:
   ftp://ftp.proftpd.org/distrib/source

ProFTPD: workaround for mod_sftp_pam.
A workaround is to:
 - disable "keyboard-interactive" in "SFTPAuthMethods"
 - disable mod_sftp_pam

Debian: new proftpd-dfsg packages.
New packages are available:
  proftpd-dfsg 1.3.3a-6squeeze7
  proftpd-dfsg 1.3.4a-5+deb7u1

Fedora: new proftpd packages.
New packages are available:
  proftpd-1.3.4d-4.fc18
  proftpd-1.3.4d-4.fc19

Mandriva: new proftpd packages.
New packages are available:
  proftpd-1.3.3g-0.3mdvmes5.2
  proftpd-1.3.3g-2.2.mbs1

openSUSE: new proftpd packages (12/06/2015).
New packages are available:
  openSUSE 13.2: proftpd 1.3.5a-3.1
  openSUSE 13.2: proftpd 1.3.5a-3.1

openSUSE: new proftpd packages (22/10/2013).
New packages are available:
  openSUSE 12.2 : proftpd-1.3.4d-2.5.1
  openSUSE 12.3 : proftpd-1.3.4d-4.4.5
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides computer vulnerability bulletins. The technology watch team tracks security threats targeting the computer system.