CVE-2024-48651
📋 TL;DR
This ProFTPD vulnerability allows authenticated users to gain unintended access to files owned by group ID 0 (root group) due to improper supplemental group inheritance when using mod_sql. The flaw occurs because mod_sql fails to properly set supplemental groups, causing users to inherit GID 0 access. This affects ProFTPD servers with mod_sql enabled and configured for user authentication.
💻 Affected Systems
- ProFTPD
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Authenticated users could read, modify, or delete files owned by the root group that they shouldn't have access to, potentially leading to privilege escalation or data exposure.
Likely Case
Authenticated FTP users gain unintended read/write access to files owned by GID 0 that should be restricted, potentially exposing sensitive system files or configuration data.
If Mitigated
With proper file permissions and access controls, the impact is limited to files that happen to be owned by GID 0 but have overly permissive group permissions.
🎯 Exploit Status
Exploitation requires authenticated FTP access and mod_sql configuration. The vulnerability is in group inheritance logic, not authentication bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ProFTPD with commit cec01cc or later
Vendor Advisory: https://lists.debian.org/debian-lts-announce/2024/11/msg00032.html
Restart Required: Yes
Instructions:
1. Update ProFTPD to version containing commit cec01cc or later. 2. For Debian/Ubuntu: apt update && apt upgrade proftpd. 3. For source builds: git pull from official repository and rebuild. 4. Restart ProFTPD service.
🔧 Temporary Workarounds
Disable mod_sql
linuxRemove or comment out mod_sql module loading if not required
# Edit proftpd.conf and remove/comment: LoadModule mod_sql.c
# Then restart: systemctl restart proftpd
Restrict GID 0 file permissions
linuxEnsure files owned by GID 0 have restrictive group permissions
# Review files: find / -gid 0 -type f -ls
# Set restrictive permissions: chmod g-rwx /path/to/file
🧯 If You Can't Patch
- Disable mod_sql module if not essential for operations
- Implement strict file permissions on all files owned by GID 0 and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check if mod_sql is enabled in proftpd.conf and version is before commit cec01cc: proftpd -v | grep '1.3.8b' && grep -i 'mod_sql' /etc/proftpd/proftpd.confCheck Version:
proftpd -vVerify Fix Applied:
Verify ProFTPD version includes commit cec01cc or is newer than 1.3.8b: proftpd -v📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns by authenticated users to files owned by GID 0
- Failed permission checks in ProFTPD logs for GID 0 files
Network Indicators:
- Normal FTP traffic patterns - no specific network indicators
SIEM Query:
source="proftpd.log" (file_access OR permission_denied) AND gid="0"