CVE-2023-45198 – This vulnerability in ftpd allows unauthenticat... (How to Fix)

Q: What is the severity of CVE-2023-45198?

CVE-2023-45198 has a CVSS score of 7.5 (HIGH). This vulnerability in ftpd allows unauthenticated attackers to obtain information about the host filesystem before authentication using MLSD or MLST commands. It affects NetBSD-ftpd before 20230930 and tnftpd before 20231001. The information leak could reveal directory structures and file metadata.

📋 TL;DR

This vulnerability in ftpd allows unauthenticated attackers to obtain information about the host filesystem before authentication using MLSD or MLST commands. It affects NetBSD-ftpd before 20230930 and tnftpd before 20231001. The information leak could reveal directory structures and file metadata.

💻 Affected Systems

Products:

NetBSD-ftpd
tnftpd (portable NetBSD ftpd)

Versions: NetBSD-ftpd before 20230930, tnftpd before 20231001

Operating Systems: NetBSD, Other systems using tnftpd

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both NetBSD's built-in ftpd and the portable tnftpd version used on other systems.

📦 What is this software?

Ftpd by Netbsd

View all CVEs affecting Ftpd →

Tnftpd by Netbsd

View all CVEs affecting Tnftpd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers map the entire filesystem structure, identify sensitive directories, and use this reconnaissance for subsequent attacks like privilege escalation or data exfiltration.

🟠

Likely Case

Attackers discover directory layouts, user home directories, configuration file locations, and other system information that aids in targeted attacks.

🟢

If Mitigated

Limited exposure of non-sensitive directory structures with no authentication bypass or data access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only sending standard FTP commands (MLSD/MLST) before authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: NetBSD-ftpd 20230930, tnftpd 20231001

Vendor Advisory: https://mail-index.netbsd.org/source-changes/2023/09/22/msg147669.html

Restart Required: Yes

Instructions:

1. Update NetBSD system to include ftpd fixes after 20230930. 2. For tnftpd, upgrade to version 20231001 or later. 3. Restart ftpd service.

🔧 Temporary Workarounds

Disable MLSD/MLST commands

all

Configure ftpd to reject MLSD and MLST commands before authentication

Check ftpd configuration for command restrictions

Use firewall rules

linux

Restrict FTP access to trusted networks only

iptables -A INPUT -p tcp --dport 21 -s TRUSTED_NET -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j DROP

🧯 If You Can't Patch

Implement network segmentation to isolate FTP servers
Monitor FTP logs for MLSD/MLST commands from unauthenticated users

🔍 How to Verify

Check if Vulnerable:

Connect to FTP server anonymously and issue MLSD or MLST command before authentication

Check Version:

ftpd -v or check package version: pkg_info | grep ftpd

Verify Fix Applied:

After patching, attempt MLSD/MLST before authentication should be rejected

📡 Detection & Monitoring

Log Indicators:

MLSD or MLST commands from unauthenticated users
FTP session without successful USER/PASS commands

Network Indicators:

FTP traffic with MLSD/MLST commands before authentication packets

SIEM Query:

source="ftp.log" AND (command="MLSD" OR command="MLST") AND NOT auth_success="true"

📊 Metadata

CVE ID: CVE-2023-45198

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Published: October 5, 2023

Last Updated: November 21, 2024

🔗 References

http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpcmd.y.diff?r1=1.94&r2=1.95 Patch
https://mail-index.netbsd.org/source-changes/2023/09/22/msg147669.html Mailing List,Vendor Advisory
http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ftpd/ftpcmd.y.diff?r1=1.94&r2=1.95 Patch
https://mail-index.netbsd.org/source-changes/2023/09/22/msg147669.html Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON