CVE-2020-15152
📋 TL;DR
CVE-2020-15152 is a Server-Side Request Forgery (SSRF) vulnerability in the ftp-srv npm package that allows attackers to make the FTP server initiate connections to arbitrary IP addresses via the PORT command. This affects anyone running vulnerable versions of ftp-srv as an FTP server. Attackers can potentially use the server as a proxy to scan internal networks or attack other systems.
💻 Affected Systems
- ftp-srv
📦 What is this software?
Ftp Srv by Ftp Srv Project
Ftp Srv by Ftp Srv Project
Ftp Srv by Ftp Srv Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use the vulnerable FTP server as a proxy to conduct port scanning, attack internal systems, or participate in DDoS attacks against external targets while hiding their true IP address.
Likely Case
Attackers scan internal networks or make requests to internal services that shouldn't be accessible from the FTP server, potentially leading to information disclosure or further exploitation.
If Mitigated
With proper network segmentation and egress filtering, the impact is limited to unsuccessful connection attempts or minimal information disclosure.
🎯 Exploit Status
Exploitation requires FTP access but no authentication if anonymous access is enabled. The vulnerability is simple to exploit with basic FTP client knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.19.6, 3.1.2, or 4.3.4 depending on major version
Vendor Advisory: https://github.com/autovance/ftp-srv/security/advisories/GHSA-jw37-5gqr-cf9j
Restart Required: Yes
Instructions:
1. Identify your ftp-srv major version (2.x, 3.x, or 4.x). 2. Update to the corresponding patched version: npm update ftp-srv@2.19.6, npm update ftp-srv@3.1.2, or npm update ftp-srv@4.3.4. 3. Restart the FTP server service.
🔧 Temporary Workarounds
Block PORT command via configuration
allConfigure ftp-srv to reject PORT commands entirely
Add 'blacklist: ["PORT"]' to ftp-srv configuration
Disable anonymous FTP access
allRequire authentication for all FTP connections
Set 'anonymous: false' in ftp-srv configuration
🧯 If You Can't Patch
- Implement network egress filtering to restrict outbound connections from the FTP server
- Place FTP server in isolated network segment with limited outbound access
🔍 How to Verify
Check if Vulnerable:
Check ftp-srv version: npm list ftp-srv or check package.json. If version is below 2.19.6 (for v2), 3.1.2 (for v3), or 4.3.4 (for v4), you are vulnerable.Check Version:
npm list ftp-srv | grep ftp-srvVerify Fix Applied:
After updating, verify version shows 2.19.6, 3.1.2, or 4.3.4 or higher. Test PORT command with restricted IP to confirm it's rejected.📡 Detection & Monitoring
Log Indicators:
- Multiple failed PORT commands with unusual IP addresses
- PORT commands containing internal IP ranges
- Unexpected outbound connection attempts from FTP server
Network Indicators:
- FTP server making outbound connections to unusual destinations
- Port scanning activity originating from FTP server IP
SIEM Query:
source="ftp-srv" AND (command="PORT" OR message="PORT") AND NOT (ip="127.0.0.1" OR ip="localhost")🔗 References
- https://github.com/autovance/ftp-srv/commit/e449e75219d918c400dec65b4b0759f60476abca
- https://github.com/autovance/ftp-srv/security/advisories/GHSA-jw37-5gqr-cf9j
- https://www.npmjs.com/package/ftp-srv
- https://github.com/autovance/ftp-srv/commit/e449e75219d918c400dec65b4b0759f60476abca
- https://github.com/autovance/ftp-srv/security/advisories/GHSA-jw37-5gqr-cf9j
- https://www.npmjs.com/package/ftp-srv
