CVE-2021-40524
📋 TL;DR
This vulnerability in Pure-FTPd allows attackers to bypass file size quotas and upload files of unlimited size, potentially causing denial of service or server crashes. The bug occurs due to incorrect handling of -1 values in quota checking logic. All Pure-FTPd servers running versions 1.0.23 through 1.0.49 are affected.
💻 Affected Systems
- Pure-FTPd
📦 What is this software?
Pure Ftpd by Pureftpd
⚠️ Risk & Real-World Impact
Worst Case
Complete server resource exhaustion leading to prolonged downtime, data corruption, or system instability requiring manual intervention to restore service.
Likely Case
Server performance degradation, temporary unavailability, or crashes requiring service restart, potentially disrupting legitimate FTP operations.
If Mitigated
Minimal impact with proper monitoring and resource limits, though some performance degradation may still occur during attack attempts.
🎯 Exploit Status
Exploitation requires FTP upload access. The vulnerability is simple to trigger once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.50
Vendor Advisory: https://github.com/jedisct1/pure-ftpd/commit/37ad222868e52271905b94afea4fc780d83294b4
Restart Required: Yes
Instructions:
1. Download Pure-FTPd 1.0.50 or later from official sources. 2. Stop the Pure-FTPd service. 3. Install the new version following your distribution's package management or compile from source. 4. Restart the Pure-FTPd service.
🔧 Temporary Workarounds
Disable file uploads
linuxTemporarily disable FTP upload functionality to prevent exploitation
# Edit pure-ftpd.conf and set: NoAnonymous no
# Or use: pure-ftpd -A to disable anonymous uploads
Implement external quota enforcement
linuxUse operating system or filesystem quotas instead of Pure-FTPd's internal mechanism
# Set filesystem quotas: setquota -u ftpuser 100M 200M 0 0 /home
# Or use disk limits in pure-ftpd.conf
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FTP servers from critical systems
- Deploy rate limiting and file size monitoring at the network perimeter
🔍 How to Verify
Check if Vulnerable:
Check Pure-FTPd version: pure-ftpd --version or rpm -q pure-ftpd or dpkg -l pure-ftpdCheck Version:
pure-ftpd --version 2>&1 | head -1Verify Fix Applied:
Verify version is 1.0.50 or higher and test file uploads with size limits📡 Detection & Monitoring
Log Indicators:
- Unusually large file uploads in FTP logs
- Multiple failed quota enforcement messages
- Server restart events following large uploads
Network Indicators:
- Sustained large FTP data transfers exceeding configured limits
- Multiple FTP STOR commands for large files
SIEM Query:
source="ftp.log" (STOR OR APPE) AND bytes_transferred > [configured_limit]🔗 References
- https://github.com/jedisct1/pure-ftpd/commit/37ad222868e52271905b94afea4fc780d83294b4
- https://github.com/jedisct1/pure-ftpd/compare/1.0.49...1.0.50
- https://github.com/jedisct1/pure-ftpd/pull/158
- https://github.com/jedisct1/pure-ftpd/commit/37ad222868e52271905b94afea4fc780d83294b4
- https://github.com/jedisct1/pure-ftpd/compare/1.0.49...1.0.50
- https://github.com/jedisct1/pure-ftpd/pull/158
- https://lists.debian.org/debian-lts-announce/2025/11/msg00003.html
