CVE-2021-47865
📋 TL;DR
CVE-2021-47865 is a denial of service vulnerability in ProFTPD that allows attackers to overwhelm FTP servers by creating multiple simultaneous connections. This can exhaust server connection limits and block legitimate user access. Any organization running vulnerable ProFTPD versions is affected.
💻 Affected Systems
- ProFTPD
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete FTP service unavailability for extended periods, disrupting file transfer operations and potentially affecting dependent business processes.
Likely Case
Temporary FTP service degradation or intermittent outages during attack periods, impacting file transfer operations.
If Mitigated
Minimal impact with proper connection limiting, rate limiting, and network controls in place.
🎯 Exploit Status
Exploit code is publicly available and requires minimal technical skill to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.7b and later
Vendor Advisory: http://www.proftpd.org/
Restart Required: Yes
Instructions:
1. Download latest ProFTPD version from proftpd.org. 2. Stop ProFTPD service. 3. Backup configuration files. 4. Install updated version. 5. Restart ProFTPD service.
🔧 Temporary Workarounds
Connection Rate Limiting
linuxImplement connection rate limiting using iptables or similar firewall rules
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
MaxClients Configuration
allReduce MaxClients setting in proftpd.conf to limit simultaneous connections
MaxClients 10
MaxClientsPerHost 2
🧯 If You Can't Patch
- Implement network-level rate limiting for FTP port (21/tcp)
- Use load balancer or WAF with connection limiting capabilities
🔍 How to Verify
Check if Vulnerable:
Check ProFTPD version with: proftpd -vCheck Version:
proftpd -vVerify Fix Applied:
Verify version is 1.3.7b or higher: proftpd -v | grep -q '1.3.7[b-z]' && echo 'Patched'📡 Detection & Monitoring
Log Indicators:
- Rapid succession of new connections from single IP
- MaxClients limit reached messages
- Connection refused errors in logs
Network Indicators:
- High volume of TCP SYN packets to port 21
- Multiple simultaneous FTP connections from single source
SIEM Query:
source_port=21 AND (event_type="connection_attempt" OR event_type="authentication_failure") | stats count by src_ip | where count > 10