Package: vsftpd Severity: grave Tags: security Justification: user security hole
The vsftpd daemon discloses whether usernames supplied by the client are valid or not. On connection to the server via a client, if an invalid username is supplied, a 530 error is immediately returned, instead of a password prompt being returned before failure. Here is a sample session: ftp despina Connected to despina.markhobley.yi.org 220 Welcome to vsftpd server daemon Name (despina:mark): shaggy 530 Permission denied. <--- We should prompt for password Login failed. before failing here. By prompting for a password, the user would not know whether the username or the password is invalid. Without the password prompt, the user knows that the username is not valid, and can quickly perform a dictionary attack to obtain system usernames. This vulnerability was first discovered in September 2003, and has not yet been patched. http://securitytracker.com/id?1008628 Testing in December 2008 confirms that the bug is not fixed. Mark. -- System Information: Debian Release: 5.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-486 Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages vsftpd depends on: ii adduser 3.110 add and remove users and groups ii libc6 2.7-16 GNU C Library: Shared libraries ii libcap1 1:1.10-14 support for getting/setting POSIX. ii libpam-modules 1.0.1-4 Pluggable Authentication Modules f ii libpam0g 1.0.1-4 Pluggable Authentication Modules l ii libssl0.9.8 0.9.8g-14 SSL shared libraries ii libwrap0 7.6.q-16 Wietse Venema's TCP wrappers libra ii netbase 4.34 Basic TCP/IP networking system Versions of packages vsftpd recommends: ii logrotate 3.7.7-2 Log rotation utility vsftpd suggests no packages. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
