Tuesday, March 4, 2008

FTP Bounce Attacks in Embedded Servers

A potential security risk in the FTP protocol can complicate embedded systems designs. If your device implements an FTP server that strictly conforms to the FTP protocol (RFC 959), your system could be used to attack other hosts on the network. Strict FTP conformance in your product can also generate a security alert like this one for Canon multifunction printers.

The security vulnerability in FTP is known as the FTP bounce attack. If successful, it allows unauthorized access to a third party host using an intermediate FTP server (by misusing the PORT command). The attack will only occur if the intermediate server is configured to allow anonymous FTP access. There were valid reasons to allow third party access in the FTP protocol, such as sending a file from a server to a printer (FTP print server), or transferring between two servers remotely, so this security vulnerability will be present in any conforming FTP implementation.

The Canon printers in the alert already allowed you to disable anonymous ftp, or disable ftp altogether, but Canon still decided to provide a firmware upgrade through service centers that will implement a safer, but non-conforming FTP implementation. This is similar to what the OS vendors and open-source projects chose to do when the FTP bounce attack was first discovered in 1997. They still allow strict FTP conformance with a change in configuration, but the default is to prevent third party access.