How to remediate – Ariel FTP Server Default ‘document’ Account

1. Introduction

The Ariel FTP Server Default ‘document’ Account vulnerability allows unauthenticated access to a remote FTP server using a known username and password combination. This poses a critical risk as attackers can gain unauthorized access to sensitive files stored on the print queue or use the server for malicious purposes, impacting confidentiality, integrity, and availability of data. Academic institutions primarily use Ariel FTP servers.

2. Technical Explanation

The vulnerability stems from an insecure default configuration in Ariel FTP Server that allows login with the ‘document’ (or ‘ariel4’) user account using a password derived from the host’s IP address. An attacker can connect to the server without authentication credentials and exploit this weakness. There is no known CVE associated with this specific issue, but it represents an unsafe default configuration.

• Root cause: The Ariel FTP Server uses a predictable password based on the connecting client’s IP address for the ‘document’ account.
• Exploit mechanism: An attacker connects to the FTP server using an FTP client and attempts to log in with the username ‘document’ (or ‘ariel4’) and the corresponding hex-encoded password generated from their IP address.
• Scope: Ariel FTP Server, versions prior to those with default account disabled or changed.

3. Detection and Assessment

You can confirm vulnerability by attempting a login using the default credentials. A quick check involves connecting to port 21 of the target server. Thorough assessment requires attempting authentication with both ‘document’ and ‘ariel4’.

• Quick checks: Use `telnet 21` to verify if the FTP service is running on port 21.
• Scanning: Nessus vulnerability ID 10873 can detect this issue, but results should be verified manually.
• Logs and evidence: Check FTP server logs for successful logins from unknown sources using usernames ‘document’ or ‘ariel4’. Log locations vary depending on the Ariel FTP Server configuration.

telnet  21

4. Solution / Remediation Steps

The following steps detail how to remediate this vulnerability by filtering incoming traffic or disabling the default account.

4.1 Preparation

• Ensure you have administrator access to the server and a rollback plan in case of issues.
• A change window may be required for production systems. Approval from IT security is recommended.

4.2 Implementation

1. Step 1: Filter incoming traffic on port 21 to only allow trusted IP addresses or networks using a firewall or access control list (ACL).
2. Step 2: If possible, disable the ‘document’ account within the Ariel FTP Server configuration.
3. Step 3: Restart the Ariel FTP service to apply changes.

4.3 Config or Code Example

Before

# No specific configuration blocking default account access (example)

After

# Firewall rule example: Block all traffic to port 21 except from trusted IPs.
iptables -A INPUT -p tcp --dport 21 ! -s /32 -j DROP

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this type of vulnerability. Least privilege limits the impact if an account is compromised. Safe defaults ensure systems start with a secure configuration. A patch cadence ensures timely updates and fixes for known issues.

• Practice 1: Implement least privilege by restricting access to sensitive data and services based on user roles and responsibilities.

4.5 Automation (Optional)

If using infrastructure-as-code, you can automate firewall rule updates to block access from untrusted sources.

# Example Ansible playbook snippet:
- name: Block FTP access except from trusted IPs
  iptables:
    chain: INPUT
    protocol: tcp
    dport: 21
    jump: DROP
    state: present
    source: /32

5. Verification / Validation

• Post-fix check: Attempt an FTP connection as user ‘document’ (or ‘ariel4’). Expect a “Login incorrect” message, or a refused connection if traffic is blocked.
• Re-test: Re-run the `telnet` command from section 3 and attempt login with default credentials to confirm failure.
• Smoke test: Verify that legitimate users can still access the FTP server using their valid credentials.
• Monitoring: Monitor FTP server logs for failed login attempts using usernames ‘document’ or ‘ariel4’ as an indicator of potential attacks.

telnet  21
# Attempt login with document/ariel4 - expect failure.

6. Preventive Measures and Monitoring

Update security baselines to include strong password policies and default account restrictions. Implement checks in CI/CD pipelines to scan for insecure configurations. A regular patch review cycle ensures timely application of security updates.

• Pipelines: Add static analysis tools (SAST) to CI/CD pipelines to detect insecure configurations like default accounts in configuration files.
• Asset and patch process: Implement a regular patch review cycle of at least monthly for critical systems.

7. Risks, Side Effects, and Roll Back

Filtering incoming traffic could block legitimate users if not configured correctly. Disabling the ‘document’ account may impact functionality depending on existing configurations. To roll back, remove the firewall rule or re-enable the ‘document’ account in Ariel FTP Server configuration.

• Risk or side effect 2: Disabling the ‘document’ account may break existing processes that rely on it. Mitigation: Document any dependencies and ensure alternative solutions are in place.
• Roll back: Step 1: Remove the firewall rule blocking access to port 21. Step 2: Re-enable the ‘document’ account within the Ariel FTP Server configuration. Step 3: Restart the Ariel FTP service.

8. References and Resources

• Vendor advisory or bulletin: No specific vendor advisory available for this default account issue.
• NVD or CVE entry: No specific CVE associated with this issue.
• Product or platform documentation relevant to the fix: Ariel FTP Server Documentation