Login Sign Up

CVE-2020-20276

9.8 CRITICAL
Remote Code Execution Denial of Service Buffer Overflow

📋 TL;DR

An unauthenticated stack-based buffer overflow vulnerability in uftpd FTP server allows remote attackers to crash the service and potentially execute arbitrary code. This affects all systems running uftpd version 2.10 or earlier with FTP service enabled. Attackers can exploit this without any authentication.

💻 Affected Systems

Products:
  • uftpd FTP server
Versions: 2.10 and earlier
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerable when FTP service is enabled and accessible. The vulnerability is in the PORT command handler.

📦 What is this software?

Uftpd by Troglobit

View all CVEs affecting Uftpd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attacker to install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Service crash leading to denial of service, with potential for remote code execution in favorable conditions.

🟢

If Mitigated

Denial of service only if exploit fails or protections like ASLR/PIE are effective.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation makes internet-facing instances extremely vulnerable.
🏢 Internal Only: HIGH - Even internal instances are vulnerable to network-accessible attackers without authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept demonstrates crash, and buffer overflow characteristics suggest RCE is achievable. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.11 and later

Vendor Advisory: https://github.com/troglobit/uftpd/commit/0fb2c031ce0ace07cc19cd2cb2143c4b5a63c9dd

Restart Required: Yes

Instructions:

1. Update uftpd to version 2.11 or later using your package manager or from source. 2. Restart the uftpd service. 3. Verify the service is running the patched version.

🔧 Temporary Workarounds

Disable FTP service

linux

Completely disable uftpd FTP service if not required.

sudo systemctl stop uftpd
sudo systemctl disable uftpd

Network segmentation

linux

Restrict network access to FTP service using firewall rules.

sudo iptables -A INPUT -p tcp --dport 21 -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit FTP service to trusted IPs only
  • Monitor for exploitation attempts and have incident response procedures ready

🔍 How to Verify

Check if Vulnerable:

Check uftpd version: 'uftpd -v' or 'rpm -q uftpd' or 'dpkg -l uftpd'. If version is 2.10 or earlier, system is vulnerable.

Check Version:

uftpd -v 2>&1 | head -1

Verify Fix Applied:

After update, verify version is 2.11 or later using same commands and test FTP connectivity.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed FTP connections
  • Unusual PORT command patterns
  • uftpd crash logs

Network Indicators:

  • Malformed FTP PORT commands with excessive data
  • Traffic to FTP port 21 from unexpected sources

SIEM Query:

source="uftpd.log" AND "PORT" AND (data_length>normal OR crash)

📊 Metadata

CVE ID: CVE-2020-20276
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: December 18, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-20276, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)