Vigil@nce: vsftpd, denial of service during authentication
July 2008 by Vigil@nce
SYNTHESIS
A remote attacker can try several authentications in order to
create a denial of service.
Gravity: 3/4
Consequences: denial of service of service
Provenance: internet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 25/07/2008
Identifier: VIGILANCE-VUL-7971
IMPACTED PRODUCTS
– Red Hat Enterprise Linux [confidential versions]
– vsftpd [confidential versions]
DESCRIPTION
Before version 2.0.5, the vsftpd FTP server did not limit the
number of authentication trials.
During authentication a memory area is not freed. An attacker can
therefore try several authentications in a same FTP session in
order to use all the memory of the process. Technical details are
not known.
A remote attacker can therefore try several authentications in
order to create a denial of service.
CHARACTERISTICS
Identifiers: 197141, BID-30364, CVE-2008-2375, RHSA-2008:0579-01,
RHSA-2008:0680-01, VIGILANCE-VUL-7971