The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before 1.3.3rc2, when the dNSNameRequired TLS option is enabled, does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 client certificate, which allows remote attackers to bypass intended client-hostname restrictions via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

The remote host is using ProFTPD, a free FTP server for Unix and Linux.
According to its banner, the version of ProFTPD installed on the remote host is 1.3.2x prior to 1.3.2b or 1.3.3x prior to 1.3.3rc2 and is affected by a mitigation bypass vulnerability when the dNSNameRequired TLS option is enabled.

It has been discovered that proftpd-dfsg, a virtual-hosting FTP daemon, does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 client certificate, when the dNSNameRequired TLS option is enabled.

This update fixes CVE-2009-3639, in which proftpd's mod_tls, when the dNSNameRequired TLS option is enabled, does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 client certificate. This allows remote attackers to bypass intended client-hostname restrictions via a crafted certificate issued by a legitimate Certification Authority. This update to upstream release 1.3.2b also fixes the following issues recorded in the proftpd bug tracker at bugs.proftpd.org: - Regression causing command-line define options not to work (bug 3221) - Use correct cached user values with 'SQLNegativeCache on' (bug 3282) - Slower transfers of multiple small files (bug 3284) - Support MaxTransfersPerHost, MaxTransfersPerUser properly (bug 3287) - Handle symlinks to directories with trailing slashes properly (bug 3297)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability has been identified and corrected in proftpd :

The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before 1.3.3rc2, when the dNSNameRequired TLS option is enabled, does not properly handle a '&#0;' character in a domain name in the Subject Alternative Name field of an X.509 client certificate, which allows remote attackers to bypass intended client-hostname restrictions via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408 (CVE-2009-3639).

This update fixes this vulnerability.

ID	Name	Product	Family	Severity
106752	ProFTPD < 1.3.2b / 1.3.3x < 1.3.3rc2 client-hostname restriction bypass	Nessus	FTP	medium
44790	Debian DSA-1925-1 : proftpd-dfsg - insufficient input validation	Nessus	Debian Local Security Checks	medium
42846	Fedora 10 : proftpd-1.3.2b-1.fc10 (2009-11666)	Nessus	Fedora Local Security Checks	medium
42845	Fedora 11 : proftpd-1.3.2b-1.fc11 (2009-11649)	Nessus	Fedora Local Security Checks	medium
42240	Mandriva Linux Security Advisory : proftpd (MDVSA-2009:288)	Nessus	Mandriva Local Security Checks	medium

Detections

Analytics

CVE-2009-3639

high

Tenable Plugins

medium

medium

medium

medium

medium