This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

Is ProFTPd Vulnerable on Ubuntu 14.04 LTS?

2 posts / 0 new

Topic locked

Last post

#1 Fri, 05/13/2016 - 11:13

sonoracomm

Is ProFTPd Vulnerable on Ubuntu 14.04 LTS?

Hi,

I have recently become aware of new (to me) attacks against ProFTPd on a Virtualmin Pro server running Ubuntu 14.04 LTS.

CVE-2015-3306

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3306

There is, apparently, no updated 'proftpd' package for Ubuntu 14.04 LTS and the included version is (apparently) vulnerable.

Is this something I should worry about?

Or does the Virtualmin implementation of ProFTPd mitigate this issue?

What have other Virtualmin admins done to mitigate this issue?

For now, I have commented out the mod_copy module in /etc/proftpd/modules.conf and restarted the daemon. I don't know how successful this was nor do I know that it won't cause problems for users. Has anyone else tried this?

http://comments.gmane.org/gmane.network.proftpd.user/9852 https://bugs.launchpad.net/ubuntu/+source/proftpd-dfsg/+bug/1462311 http://www.proftpd.org/docs/contrib/mod_copy.html

Thanks in advance for any comments,

G

#2 Mon, 12/05/2016 - 07:50

rokclimb15

Hi,

Virtualmin on Ubuntu does not mitigate the issue. It's a bit more difficult to exploit since it needs a world-writable, predictable directory path. But if you have ProFTPd combined with that and a PHP interpreter, this is pretty disastrous.

I recently packaged the upstream fix as a backported patch for ProFTPd in 12.04 and 14.04. Please visit https://bugs.launchpad.net/ubuntu/+source/proftpd-dfsg/+bug/1462311 and indicate that you're affected. It's waiting on a member of the MOTU security team to review and sponsor my patch.

Topic locked