Exploring FTP Vulnerabilities: Threats and Countermeasures

Photo by Markus Winkler on Unsplash

Learn about FTP vulnerabilities, including unencrypted data, weak authentication, and directory traversal. Discover vulnerabilities in FileZilla and CoreFTP.

FTP Server Security

FTP servers are commonly exploited due to several vulnerabilities, such as unencrypted data transmission, weak authentication mechanisms, and lack of access control and logging. These issues can lead to significant risks, including data breaches, identity theft, and malicious attacks. To enhance FTP server security, it is essential to implement encryption, restrict administrative access, define user accounts and permissions, and enforce strong password policies. Moreover, adopting more secure alternatives like SFTP or FTPS is recommended to mitigate these inherent vulnerabilities. By maintaining updated server software and employing comprehensive security measures, organizations can better protect their data and prevent unauthorized access.

The common vulnerabilities in FTP include unencrypted data transmission, weak authentication mechanisms leading to credential stuffing attacks, and unauthorized access due to lack of access control and logging (LinkedIn Advice). Directory traversal vulnerabilities in FTP clients such as SiteDesigner Technologies, 3D-FTP and SoftX FTP Client allow remote servers to write arbitrary files (Vulners). These vulnerabilities can expose data, passwords, and files to hackers, malware, and unauthorized access, posing risks such as data breaches, identity theft, and malicious attacks (LinkedIn Advice).

To secure FTP servers, you can take the following steps:

1. Encrypt the connection: Use implicit FTPS running on port 990 or explicit FTPS running on port 21 to secure the command and data channels, protecting data and user credentials from being sent over the Internet without protection.
2. Lock Down Administration: Restrict admin duties to a limited number of users, require multi-factor authentication, store passwords in an AD domain or LDAP server, and avoid common admin user IDs like “root” or “admin” to prevent hackers from gaining easy access.
3. Define user accounts and permissions: Assign each user a unique account and login directory to prevent access to other users’ files. Implement permissions that limit users’ functionality to what is necessary, such as enabling only uploading files for users who require this task.
4. Enforce password compliance: Ensure strong password policies to prevent security vulnerabilities due to weak passwords.

It is essential to take a multi-faceted approach to secure FTP servers effectively, encompassing encryption, attack recognition, password policies, and access restrictions (JSCAPE, Fortra, Acunetix).

It is recommended to avoid using FTP for secure file transfers due to its inherent security vulnerabilities. Instead, opt for more secure options such as SFTP, SCP, or HTTPS which offer built-in security features. This unencrypted data transmission can expose files, passwords, and other sensitive information to potential breaches, identity theft, and malicious attacks (Wikipedia, LinkedIn Advice). When implementing FTP, it is crucial to keep the server software up-to-date, enforce user account and permission management to prevent unauthorized access, and ensure strong password compliance to mitigate security risks effectively (StackExchange, JSCAPE).

Brute-force attacks are one of the common types of attacks on FTP servers. In this form of attack, the attacker tries multiple login and password combinations to gain unauthorized access to the server. Attackers may use common usernames and passwords or conduct reconnaissance to gather information about potential passwords, such as using personal information like birth years or last names. Implementing measures such as recognizing and blocking attack sources, setting time and IP limits for server access, using secure alternatives like SFTP and FTPS, regularly updating and patching FTP servers, implementing strong password policies, restricting anonymous access, and monitoring FTP sessions can help mitigate the risks associated with FTP attacks and enhance the security of data transfers (Aryan Srivastava, JSCAPE, CapLinked).

To prevent FTP brute force attacks, it is recommended to implement software like RDPGuard that can automatically block the source IP of the attack from further connections (RDPGuard). Additionally, enabling time and IP limits on your FTP server can add an extra layer of security by restricting access to specific times and client IP addresses, making stolen credentials useless to attackers in certain scenarios (JSCAPE). Lastly, always using strong passwords is crucial in protecting FTP passwords from brute force attacks, as weak passwords are more susceptible to being compromised (JSCAPE).

FTP security breaches are a significant concern due to the vulnerabilities associated with the File Transfer Protocol. Weak authentication mechanisms can be exploited by attackers through techniques like credential stuffing, where stolen or leaked credentials are used to gain unauthorized access to servers. Additionally, lack of access control and logging in FTP servers can lead to unauthorized access (LinkedIn Advice). Ultimately, maintaining the security of data transfers by updating the protocol regularly is crucial to mitigating security risks (CapLinked).

FTP Client Vulnerabilities

Common FTP client vulnerabilities include the following (LinkedIn Advice, Vulners):

• Directory traversal vulnerabilities such as CVE-2010–3102 and CVE-2010–3096, which allow remote FTP servers to write arbitrary files via specific manipulations in the file path.
• Weak authentication mechanisms, which can be exploited by attackers through techniques like credential stuffing, where stolen or leaked credentials are used to gain unauthorized access to the server.
• Unauthorized access due to lack of proper access control and logging can also pose a risk to FTP clients.

SiteDesigner Technologies, 3D-FTP Client 9.0 build 2 and possibly earlier versions, SoftX FTP Client 3.3 and possibly earlier versions, as well as VSFTPD version 2.3.4 are known to have vulnerabilities (Vulners, Snyk, S3Curiosity).

The latest FTP client vulnerabilities include a directory traversal vulnerability in the SiteDesigner Technologies, 3D-FTP Client 9.0 build 2, and possibly earlier versions, as well as a directory traversal vulnerability in the SoftX FTP Client 3.3 and possibly earlier versions (Vulners). Additionally, there was a path traversal vulnerability identified and responsibly disclosed to several affected vendors in November 2017, which can affect multiple applications and libraries allowing a malicious FTP server to create or overwrite files anywhere on the local file system (Snyk).

To protect FTP clients from vulnerabilities, it is recommended to implement software that can recognize and automatically block attacks by blocking the source IP of the attacker from further connections (JSCAPE). Additionally, enabling time and IP limits on the FTP server can enhance security by restricting access to specific times and client IP addresses, ensuring that only authorized users can connect to the server (JSCAPE). Furthermore, ensuring complex passwords are in place and enforced, enabling intruder lockout on the FTP server, and regularly scanning for vulnerabilities using tools like vulnerability scanners can help identify and mitigate any weaknesses that could be exploited by attackers (Acunetix). By taking these steps, FTP clients can be better protected from potential security risks and vulnerabilities.

FTP client vulnerabilities pose significant risks such as data breaches, identity theft, and malicious attacks due to potential exploitation of vulnerabilities such as directory traversal, weak encryption, and FTP bounce attacks (LinkedIn Advice). These vulnerabilities can lead to unauthorized access to directories, interception of sensitive data, and the compromise of login credentials and files due to the lack of encryption in FTP connections (Skyway West).

To detect and mitigate FTP client vulnerabilities, it is crucial to implement the following measures:

1. Conduct regular port scans of external-facing systems to identify any FTP servers that may pose a risk.
2. Utilize a good vulnerability scanner on the host itself to uncover FTP-centric flaws.
3. Implement complex passwords and enable intruder lockout on the FTP server.
4. Recognize attacks and automatically block the source IP of the attack from further connections.
5. Enable time and IP limits to restrict access to the FTP server to specific times and client IPs, preventing unauthorized connections.
6. Stay informed about vulnerabilities in FTP clients and promptly apply patches and updates from vendors to mitigate risks.

By adopting a proactive approach that combines these strategies, organizations can effectively detect and mitigate FTP client vulnerabilities, thus enhancing the security of their systems (Acunetix, JSCAPE, Snyk).

Specific FTP Client Security — FileZilla

The common vulnerabilities in FileZilla include vulnerabilities in the FileZilla 3.43.0 rc2 filter that can be exploited remotely by a non-authenticated attacker via the Internet. However, there is no known malware that exploits this specific vulnerability at the moment (Cybersecurity Help).

To secure FileZilla from cyber attacks, it is essential to ensure that you are using the latest version of the software (Panda Security). Additionally, it is recommended to enable encryption for the administration protocol and use strong cryptographic algorithms to hash and salt passwords before encoding them (InfinityFree). Regularly updating the software will help prevent potential vulnerabilities and exploits that cyber attackers may target. Consider using a hardware firewall to add an extra layer of security to your system (InfinityFree). It is also crucial to be cautious of malware that may imitate FileZilla (Panda Security).

A warning about a malicious version of the FTP software FileZilla that is stealing users’ credentials has been recently announced (TheHackerNews). Additionally, cybersecurity experts have highlighted vulnerabilities in FileZilla 3.43.0 rc2 that can be exploited by remote non-authenticated attackers via the internet (Cybersecurity Help).

Specific FTP Client Security — CoreFTP

Common vulnerabilities of CoreFTP include buffer overflow vulnerabilities that can lead to denial of service (DoS) attacks and remote code execution. These vulnerabilities are found in various versions of CoreFTP Server and CoreFTP LE, allowing attackers to exploit flaws in the software through crafted packets, long directory names, and other means to compromise the system’s security and functionality (Vulners, HKCERT)

Similar to FileZilla, there are recent security advisories and reports related to CoreFTP vulnerabilities, such as CVE-2022–22899, CVE-2022–22836, CVE-2020–19595, CVE-2020–19596, and CVE-2020–21588. These vulnerabilities include issues like Denial of Service (DoS) attacks, directory traversal, and buffer overflows all mentioned above, highlighting security concerns within CoreFTP applications (Vulners). It is noted that the CoreFTP team has been responsive in addressing these vulnerabilities and users are advised to update their applications to mitigate the risks (YSBM). Additionally, there have been historical vulnerabilities in older versions of Core FTP Server as well, like CVE-2014–1443, which allowed remote authenticated users to obtain sensitive information (Vumetric).

Update your CoreFTP application to the latest version provided by the CoreFTP team to patch the identified vulnerabilities (Vulners, YSBM). Ensure to regularly update the application to stay protected against any newly discovered vulnerabilities. Additionally, before installing the software, visit the manufacturer’s website for more details on security updates and best practices to enhance the security of CoreFTP (HKCERT).

Securing FTP servers and clients is crucial to protect against vulnerabilities such as unencrypted data transmission, weak authentication mechanisms, and unauthorized access. Implementing encryption, robust access control, and strong password policies can significantly reduce the risks of data breaches and identity theft. It is also advisable to consider more secure alternatives like SFTP or FTPS for sensitive data transfers. Regularly updating server and client software, enforcing strict user permissions, and monitoring for suspicious activities are essential practices to maintain a secure FTP environment. By adopting these comprehensive security measures, organizations can effectively safeguard their data and mitigate potential threats associated with FTP.

References

• Acunetix. Securing FTP Running on Your Web Server. Retrieved from https://www.acunetix.com/blog/articles/protecting-ftp-web-server/
• Aryan Srivastava. Brute Forcing & Protecting an FTP Server. Retrieved from https://arytmw.medium.com/brute-forcing-protecting-an-ftp-server-f89bdd97903d
• CapLinked. Is FTP Secure? What Enterprises Should Know. Retrieved from https://www.caplinked.com/blog/is-ftp-secure/
• Vumetric. CVE-2014–1443 — Buffer Errors vulnerability in Coreftp Core FTP 1.2. Retrieved from https://cyber.vumetric.com/vulns/CVE-2014-1443/buffer-errors-vulnerability-in-coreftp-core-ftp-1-2/
• Cybersecurity Help. OS command injection in FileZilla. Retrieved from https://www.cybersecurity-help.cz/vdb/SB2019062904
• Wikipedia. File Transfer Protocol. Retrieved from https://en.wikipedia.org/wiki/File_Transfer_Protocol
• Fortra. 10 Essential Tips for Securing FTP and SFTP Servers. Retrieved from https://www.fortra.com/blog/10-essential-tips-securing-ftp-and-sftp-servers
• InfinityFree. FileZilla security — Informal. Retrieved from https://forum.infinityfree.com/t/filezilla-security/77251
• HKCERT. CoreFTP buffer overflow vulnerability. Retrieved from https://www.hkcert.org/security-bulletin/coreftp-buffer-overflow-vulnerability
• JSCAPE. How To Protect FTP Passwords From Brute Force Attacks. Retrieved from https://www.jscape.com/blog/protecting-ftp-passwords-from-brute-force-attacks
• JSCAPE. How to Secure FTP Servers in 5 Steps. Retrieved from https://www.jscape.com/blog/5-steps-to-a-secure-ftp-server
• LinkedIn Advice. How to Avoid Common Vulnerabilities in FTP. Retrieved from https://www.linkedin.com/advice/1/what-common-vulnerabilities-ftp-how-do-you-avoid-them
• S3Curiosity. Understanding the Vulnerabilities in VSFTPD 2.3.4. Retrieved from https://medium.com/@S3Curiosity/understanding-the-vulnerabilities-in-vsftpd-2-3-4-f5e0b8317af5
• Panda Security. FileZilla: Careful with malware!. Retrieved from https://www.pandasecurity.com/en/mediacenter/careful-filezilla-malware-imitates-perfectly/
• RDPGuard. Brute-force protection for your FTP server. Block failed FTP logins in any FTP Server software. FTP brute force attack detection and blocking. Retrieved from https://rdpguard.com/ftp-bruteforce-protection.aspx
• Snyk. Use of a Broken or Risky Cryptographic Algorithm in filezilla-client | CVE-2024–31497. Retrieved from https://security.snyk.io/vuln/SNYK-UNMANAGED-FILEZILLACLIENT-6615675
• Snyk. Attacking an FTP Client: MGETting more than you bargained for. Retrieved from https://snyk.io/blog/attacking-an-ftp-client/
• StackExchange. Is it safer to use a port other than 21 for FTP? — Information Security Stack Exchange. Retrieved from https://security.stackexchange.com/questions/134228/is-it-safer-to-use-a-port-other-than-21-for-ftp
• Skyway West. What is an Open Service FTP Vulnerability, what is the risk and how can you mitigate that risk?. Retrieved from https://www.skywaywest.com/2021/05/what-is-an-open-service-ftp-vulnerability-what-is-the-risk-and-how-to-mitigate-it/
• TheHackerNews. Warning: Malicious version of FTP Software FileZilla stealing users’ Credentials. Retrieved from https://thehackernews.com/2014/01/warning-malicious-version-of-ftp.html
• vulners. Ftp Client Security Vulnerabilities and Issues — Ftp Client CVE List. Retrieved from https://vulners.com/search/products/Ftp_client
• Vulners. Core Ftp Security Vulnerabilities and Issues — Core Ftp CVE List. Retrieved from https://vulners.com/search/products/Core_ftp
• YSBM. CoreFTP Arbitrary File Write (CVE-2022–22836) and Remote DoS (CVE-2022–22899). Retrieved from https://yoursecuritybores.me/coreftp-vulnerabilities/