Use-after-free vulnerability in the Response API in ProFTPD before 1.3.3g allows remote authenticated users to execute arbitrary code via vectors involving an error that occurs after an FTP data transfer.

The remote Solaris system is missing necessary patches to address security updates :

  - Use-after-free vulnerability in the Response API in     ProFTPD before 1.3.3g allows remote authenticated users     to execute arbitrary code via vectors involving an error     that occurs after an FTP data transfer. (CVE-2011-4130)

Vulnerabilities were discovered for the proftpd packages in openSUSE version 12.1.

The remote host is affected by the vulnerability described in GLSA-201309-15 (ProFTPD: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in ProFTPD. Please review       the CVE identifiers referenced below for details.
  Impact :

    A context-dependent attacker could possibly execute arbitrary code with       the privileges of the process, perform man-in-the-middle attacks to spoof       arbitrary SSL servers, cause a Denial of Service condition, or read and       modify arbitrary files.
  Workaround :

    There is no known workaround at this time.

New proftpd packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, 13.37, and -current to fix security issues.

A vulnerability was discovered and fixed in proftpd :

Use-after-free vulnerability in the Response API in ProFTPD before 1.3.3g allows remote authenticated users to execute arbitrary code via vectors involving an error that occurs after an FTP data transfer (CVE-2011-4130).

The updated packages have been upgraded to the latest version 1.3.3g which is not vulnerable to this issue.

The remote host is using ProFTPD, a free FTP server for Unix and Linux.

According to its banner, the version of ProFTPD installed on the remote host is earlier than 1.3.3g or 1.3.4. As such, it is potentially affected by a code execution vulnerability due to how the server manages the response pool that is used to send responses from the server to the client. A remote, authenticated attacker could leverage this issue to execute arbitrary code on the remote host, subject to the privileges of the user running the affected application.

Note that Nessus did not actually test for the flaw but instead has relied on the version in ProFTPD's banner.

The remote host is using ProFTPD, a free FTP server for Unix and Linux. 

Versions of ProFTPD earlier than 1.3.3g / 1.3.4 are potentially affected by a code execution vulnerability due to how the server manages the response pool that is used to send responses from the server to the client.  A remote, authenticated attacker, exploiting this flaw, could execute arbitrary code on the remote host subject to the privileges of the user running the affected application.

The remote host is using ProFTPD, a free FTP server for Unix and Linux.  

Versions of ProFTPD earlier than 1.3.3g / 1.3.4 are potentially affected by a code execution vulnerability due to how the server manages the response pool that is used to send responses from the server to the client.  A remote, authenticated attacker, exploiting this flaw, could execute arbitrary code on the remote host subject to the privileges of the user running the affected application.

This update, to the current upstream stable release, includes a pair of security fixes :

  - Enable OpenSSL countermeasure against SSLv3/TLSv1 BEAST     attacks (upstream bug 3704); to disable this     countermeasure, which may cause interoperability issues     with some clients, use the NoEmptyFragments TLSOption

    - Response pool use-after-free memory corruption error       (upstream bug 3711, #752812, ZDI-CAN-1420,       CVE-2011-4130), in which a remote attacker could       provide a specially crafted request (resulting in a       need for the server to handle an exceptional       condition), leading to memory corruption and       potentially arbitrary code execution, with the       privileges of the user running the proftpd server

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update, to the current (and final) release for the 1.3.3 maintenance branch, includes a pair of security fixes :

  - Enable OpenSSL countermeasure against SSLv3/TLSv1 BEAST     attacks (upstream bug 3704); to disable this     countermeasure, which may cause interoperability issues     with some clients, use the NoEmptyFragments TLSOption

    - Response pool use-after-free memory corruption error       (upstream bug 3711, #752812, ZDI-CAN-1420), in which a       remote attacker could provide a specially crafted       request (resulting in a need for the server to handle       an exceptional condition), leading to memory       corruption and potentially arbitrary code execution,       with the privileges of the user running the proftpd       server

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were discovered in ProFTPD, an FTP server :

  - (No CVE id)     ProFTPD incorrectly uses data from an unencrypted input     buffer after encryption has been enabled with STARTTLS,     an issue similar to CVE-2011-0411.

  - CVE-2011-4130     ProFTPD uses a response pool after freeing it under     exceptional conditions, possibly leading to remote code     execution. (The version in lenny is not affected by this     problem.)

ID	Name	Product	Family	Severity
80742	Oracle Solaris Third-Party Patch Update : proftpd (cve_2011_4130_use_after)	Nessus	Solaris Local Security Checks	high
74521	openSUSE Security Update : proftpd (openSUSE-2011-19)	Nessus	SuSE Local Security Checks	high
70111	GLSA-201309-15 : ProFTPD: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
57895	Slackware 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / 13.37 / current : proftpd (SSA:2012-041-04)	Nessus	Slackware Local Security Checks	high
57046	Mandriva Linux Security Advisory : proftpd (MDVSA-2011:181)	Nessus	Mandriva Local Security Checks	high
56956	ProFTPD < 1.3.3g / 1.3.4 Response Pool Use-After-Free Code Execution	Nessus	FTP	high
801028	ProFTPD < 1.3.3g / 1.3.4 Response Pool Use-After-Free Code Execution	Log Correlation Engine	FTP Servers	high
6101	ProFTPD < 1.3.3g / 1.3.4 Response Pool Use-After-Free Code Execution	Nessus Network Monitor	FTP Servers	high
56896	Fedora 16 : proftpd-1.3.4-1.fc16 (2011-15765)	Nessus	Fedora Local Security Checks	high
56895	Fedora 14 : proftpd-1.3.3g-1.fc14 (2011-15741)	Nessus	Fedora Local Security Checks	high
56894	Fedora 15 : proftpd-1.3.4-1.fc15 (2011-15740)	Nessus	Fedora Local Security Checks	high
56850	Debian DSA-2346-2 : proftpd-dfsg - several vulnerabilities	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2011-4130

high

Tenable Plugins

high

high

critical

high

high

high

high

high

high

high

high

high