ProFTPD Remote Code Execution Bug Exposes Over 1 Million Servers (Jul 22, 2019)
The publicly-available and cross-platform FTP server, “ProFTPD,” is affected by a Remote Code Execution (RCE) vulnerability, registered as “CVE-2019-12815,” that puts over one million servers at risk. The vulnerability was identified by security researcher Tobias Mädel and reported to ProFTPD in September 2018. A temporary fix was issued on July 17 , however, no official patch has been issued.
Recommendation: The significant volume of vulnerable of servers affected by CVE-2019-12815 will likely cause threat actors to attempt to exploit the vulnerability for malicious purposes. The operations could consist of compromising the servers and install cryptocurrency-mining malware or ransomware, among others. Your company should have policies in place in regards to maintaining server software in such a way that new security updates are applied as soon as possible. Threat actors will often use vulnerabilities that have already been issued patches because information and proof-of-concept code of an exploit sometimes become available on public sources once a patch has been issued. Actors of all levels of sophistication are known to exploit such vulnerabilities because as this story shows, many users and administrators do not apply security updates.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.