Rapid7 Vulnerability & Exploit Database

CESA-2004:096: wu-ftpd security update

Back to Search

CESA-2004:096: wu-ftpd security update

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
03/15/2004
Created
07/25/2018
Added
03/12/2010
Modified
07/04/2017

Description

An updated wu-ftpd package that fixes two security issues is now available.

The wu-ftpd package contains the Washington University FTP (File Transfer Protocol) server daemon. FTP is a method of transferring files between machines. Glenn Stewart discovered a flaw in wu-ftpd. When configured with "restricted-gid home", an authorized user could use this flaw to circumvent the configured home directory restriction by using chmod. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0148 to this issue. Michael Hendrickx found a flaw in the S/Key login handling. On servers using S/Key authentication, a remote attacker could overflow a buffer and potentially execute arbitrary code. Users of wu-ftpd are advised to upgrade to this updated package, which contains backported security patches and is not vulnerable to these issues.

Solution(s)

  • centos-upgrade-wu-ftpd

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;