CVE-2020-19596

Vulnerability

A buffer overflow vulnerability exists in Core FTP Server v1.2 Build 583, specifically in the handling of the username field during the authentication process over SFTP/SFTP with SSH keys enabled. The server does not properly validate the length of the username input, allowing a long string of characters to overflow the buffer and corrupt adjacent memory. This issue is present in the Core FTP Server component (not the client) and is reachable without prior authentication [1].

Exploitation

An unauthenticated remote attacker with network access to the Core FTP Server (listening on the SFTP port, typically TCP 22) can send a crafted SSH key-exchange message containing an overly long username. The attacker does not need any credentials or prior access. Upon processing the malformed username, the server crashes or enters a vulnerable state that allows control of execution flow. The exploit does not require user interaction on the target system [1].

Impact

Successful exploitation can lead to a denial of service (DoS) by crashing the server, or in more advanced scenarios, remote code execution (RCE) under the context of the Core FTP Server process, typically running with elevated privileges (SYSTEM or Administrator). The attacker may gain full control of the affected server, including the ability to read, write, and delete arbitrary files, or pivot to other systems on the network [1].

Mitigation

As of the publication of this CVE, no official patch or updated version has been released by Core FTP. The vendor has not acknowledged the vulnerability or provided a fix, and Core FTP Server v1.2 Build 583 is likely end-of-life. The only mitigations are to disable the SFTP/SSH service if not required, restrict network access to trusted hosts only via firewall rules, and consider migrating to a different FTP server software that receives active security updates. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog [1].