Vulnerability in ProFTP 1.3.3d (PCI Compliance)

[JohnToTheK]

We are currently using Plesk Panel 10.0.0 on CentOS 4.9. I realize our server is well out of date, but due to extraneous circumstances, we haven't been able to update it.

While that is the case, we are still held to PCI compliance standards. One of their scans flagged our server with this:

possible vulnerability in ProFTP 1.3.3d

Risk: High (3)
Port: 20/tcp
Protocol: tcp
Threat ID: ftp_proftp

Details: Response Pool Use-After-Free Vulnerability

11/17/11
CVE 2011-4130
ProFTPD before 1.3.3g is prone to a vulnerability,
which can be exploited by malicious users to compromise a vulnerable system.
The vulnerability is caused due to a use-after-free error when handling response pool allocation lists and can be exploited to corrupt memory.
Successful exploitation may allow execution of arbitrary code.

Information From Target:
Service: ftp
Received: 220 ProFTPD 1.3.3d Server (ProFTPD)

My question is this: is it possible to upgrade ProFTPD to at least 1.3.3g on our server? We can't use the yum command anymore, since they've turned off the repositories for our outdated server. What are our options here? Thanks so much for any advice!

 

[Blake@Parallels]

Hi John,

We addressed this in a November 2011 update: http://download1.parallels.com/Plesk/PP10/parallels-plesk-panel-10-linux-updates-release-notes.html

I recommend to make sure your Plesk software is up to date. The latest release in the 10.x series is 10.4 MU43, while the latest release overall is 11.0 MU14.

 

[JohnToTheK]

Blake, thanks so much for the reply.

Since we are currently running CentOS 4.9, we were told that we can't update past Plesk 10.0.0, where we are now. So I have been operating under the assumption that unless we change our server, we can't update Plesk anymore.

Is that true?

If that is true, is there any other option for upgrading ProFTP, outside of upgrading Plesk?

 

[Blake@Parallels]

CentOS 4 is actually supported up to Plesk 10.2. You could update to this version and apply all MicroUpdates to get the ProFTPd fixed version. http://download1.parallels.com/Ples...nel-10-linux-updates-release-notes.html#10212

That said, given that CentOS 4 has been EOL'ed by its vendor, I think it would be in your best interests (in terms of both PCI and security overall) to get a new server with CentOS 5 or CentOS 6 with Plesk 11.x and migrate your Plesk instance to this new server at your earliest convenience.

 

[JohnToTheK]

Excellent, great information. I really appreciate your prompt and helpful comments! Cheers!