CVE-2020-35359 Scanner

Pure-FTPd is a free (BSD), secure, production-quality and standard-conformant FTP server. It is actively maintained and is used broadly in web hosting environments due to its focus on security and ease of configuration. By providing a multitude of features, such as compatibility with all Unix platforms and security protocols, Pure-FTPd meets the needs of both small personal sites and large enterprise environments. As it supports most of the FTP extensions, the software allows for efficient file transfers over the network. Pure-FTPd's modular design enables administrators to easily manage users and virtual domains.

The Denial Of Service (DoS) vulnerability in Pure-FTPd version 1.0.48 is a significant concern as it can lead to the service being overwhelmed and rendered unavailable. This type of vulnerability can be exploited by a malicious actor to exhaust the available connections, thus impacting the legitimate users' ability to use the service. The vulnerability arises from the lack of proper connection limits, which allows for unauthorized flooding of connections. Exploiting such a vulnerability affects the availability aspect of security, leading to potential downtimes.

The Pure-FTPd 1.0.48 version is vulnerable due to its insufficient handling of concurrent connections. Technically, the lack of connection limits allows attackers to start numerous connections to the server without proper checks, thereby overwhelming the server resources. This can be done remotely by sending multiple connection requests rapidly, exploiting the connection exhaustion vulnerability. The problem specifically occurs when the FTP server fails to enforce a maximum limit on simultaneous connections per IP address.

If exploited, this Denial Of Service vulnerability can cause the Pure-FTPd service to become unresponsive, resulting in a loss of access to the files hosted via the FTP server. The downtime can affect users' business operations, leading to data transfer disruptions and potentially causing a significant financial and reputational impact on the organization running the FTP server. Repeated exploitation can also degrade the trust and reliability users have in the service, leading to longer-term implications for service providers.

REFERENCES

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35359