CVE-2021-41637
📋 TL;DR
MELAG FTP Server 2.2.0.4 has weak file permissions that allow any user (including unauthenticated 'Everyone' group) to read the FTP configuration file. This exposes unencrypted passwords for all FTP users, enabling credential theft and unauthorized access. Any organization using this specific version is affected.
💻 Affected Systems
- MELAG FTP Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full access to all FTP accounts, steal sensitive data, upload malicious files, or use compromised credentials for lateral movement within the network.
Likely Case
Unauthorized users read FTP credentials and gain access to FTP services, potentially accessing sensitive files or using the server for unauthorized data transfers.
If Mitigated
With proper network segmentation and monitoring, impact is limited to FTP service compromise without broader network access.
🎯 Exploit Status
Exploitation requires only file read access to the configuration file location, which is trivial for any user.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: No official vendor advisory found
Restart Required: No
Instructions:
No official patch available. Consider upgrading to a newer version if available, or implement workarounds.
🔧 Temporary Workarounds
Restrict Configuration File Permissions
windowsModify file system permissions to restrict read access to the FTP configuration file to authorized administrators only.
icacls "C:\Program Files\MELAG\FTP Server\config\ftp.cfg" /remove:g "Everyone"
icacls "C:\Program Files\MELAG\FTP Server\config\ftp.cfg" /grant:r "Administrators:(F)"
Disable FTP Service
windowsTemporarily disable the FTP service until a permanent fix can be implemented.
sc stop "MELAG FTP Server"
sc config "MELAG FTP Server" start= disabled
🧯 If You Can't Patch
- Implement network segmentation to isolate FTP server from critical systems
- Enable detailed logging and monitoring for unauthorized FTP access attempts
🔍 How to Verify
Check if Vulnerable:
Check if file 'ftp.cfg' in MELAG FTP Server installation directory is readable by Everyone group using: icacls "C:\Program Files\MELAG\FTP Server\config\ftp.cfg"Check Version:
Check program version in Control Panel > Programs and Features, or examine the installation directory for version information.Verify Fix Applied:
Verify that only authorized users (Administrators) have read access to the configuration file using the same icacls command.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful logins
- Unusual file access patterns from new IP addresses
- Configuration file access by non-admin users
Network Indicators:
- Unusual FTP traffic patterns
- Connections from unexpected IP ranges
- Large data transfers at unusual times
SIEM Query:
EventID=4663 AND ObjectName LIKE '%ftp.cfg%' AND Accesses='ReadData' AND SubjectUserName NOT IN ('Administrator', 'SYSTEM')