Is ProFTPd Vulnerable on Ubuntu 14.04 LTS?

Hi,

I have recently become aware of new (to me) attacks against ProFTPd on a Virtualmin Pro server running Ubuntu 14.04 LTS.

CVE-2015-3306

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3306

There is, apparently, no updated ‘proftpd’ package for Ubuntu 14.04 LTS and the included version is (apparently) vulnerable.

Is this something I should worry about?

Or does the Virtualmin implementation of ProFTPd mitigate this issue?

What have other Virtualmin admins done to mitigate this issue?

For now, I have commented out the mod_copy module in /etc/proftpd/modules.conf and restarted the daemon. I don’t know how successful this was nor do I know that it won’t cause problems for users. Has anyone else tried this?

http://comments.gmane.org/gmane.network.proftpd.user/9852
https://bugs.launchpad.net/ubuntu/+source/proftpd-dfsg/+bug/1462311
http://www.proftpd.org/docs/contrib/mod_copy.html

Thanks in advance for any comments,

G

Hi,

Virtualmin on Ubuntu does not mitigate the issue. It’s a bit more difficult to exploit since it needs a world-writable, predictable directory path. But if you have ProFTPd combined with that and a PHP interpreter, this is pretty disastrous.

I recently packaged the upstream fix as a backported patch for ProFTPd in 12.04 and 14.04. Please visit https://bugs.launchpad.net/ubuntu/+source/proftpd-dfsg/+bug/1462311 and indicate that you’re affected. It’s waiting on a member of the MOTU security team to review and sponsor my patch.