1. Home
  2. Network Vulnerabilities
  3. How to remediate – FTP Supports Cleartext Authentication
Searching...

How to remediate – FTP Supports Cleartext Authentication

Contents

1. Introduction

The vulnerability “FTP Supports Cleartext Authentication” means usernames and passwords sent to an FTP server are not encrypted. This allows attackers to intercept login details using network monitoring tools, potentially compromising accounts. Systems running FTP servers without encryption are affected, particularly those handling sensitive data. Confidentiality is the primary risk, with potential impacts on integrity if access is gained.

2. Technical Explanation

The remote FTP server allows credentials to be transmitted in plain text. An attacker can use a network sniffer like Wireshark or run a man-in-the-middle attack to capture the username and password during login. This is due to the lack of encryption used by standard FTP.

  • Root cause: The FTP protocol does not encrypt control channel communication, exposing credentials in cleartext.
  • Exploit mechanism: An attacker passively captures network traffic containing FTP login attempts using a packet sniffer or actively intercepts and relays the connection to steal credentials. For example, an attacker could use Wireshark on a compromised network segment to capture usernames and passwords as they are sent during an FTP session.
  • Scope: Affected platforms include any operating system running an FTP server configured without encryption (SFTP or FTPS).

3. Detection and Assessment

Confirming vulnerability involves checking the FTP server configuration and monitoring network traffic for cleartext credentials.

  • Quick checks: Use `netstat -an | grep ftp` to see if an FTP service is running on port 21.
  • Scanning: Nessus plugin ID 30785 can identify FTP servers supporting cleartext authentication as an example.
  • Logs and evidence: Examine network traffic captures for the “USER” and “PASS” commands in plain text, indicating unencrypted login attempts.
netstat -an | grep ftp

4. Solution / Remediation Steps

Switching to a secure FTP protocol like SFTP or FTPS is the recommended solution.

4.1 Preparation

  • Ensure alternative access methods are available during maintenance. Roll back by restoring the original configuration and restarting the FTP service.
  • A change window may be required for planned downtime. Approval from IT security is recommended.

4.2 Implementation

  1. Step 1: Disable standard FTP on the server.
  2. Step 2: Enable SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS).
  3. Step 3: Configure the server to require encryption for all FTP connections.

4.3 Config or Code Example

Before

# /etc/vsftpd.conf (example)
anonymous_enable=YES
local_enable=YES

After

# /etc/vsftpd.conf (example)
anonymous_enable=NO
local_enable=YES
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

4.4 Security Practices Relevant to This Vulnerability

Several security practices can mitigate this vulnerability type.

  • Practice 1: Least privilege – limit user access rights to reduce the impact of compromised credentials.
  • Practice 2: Secure defaults – configure services with encryption enabled by default whenever possible.
  • Practice 3: Patch cadence – Regularly update FTP server software to address known vulnerabilities and improve security features.

4.5 Automation (Optional)

# Example Ansible task to disable anonymous FTP
- name: Disable anonymous FTP access
  lineinfile:
    path: /etc/vsftpd.conf
    regexp: '^anonymous_enable=YES'
    line: 'anonymous_enable=NO'
  notify: Restart vsftpd

5. Verification / Validation

Confirm the fix by verifying encryption is enabled and attempting a connection without encryption fails.

  • Post-fix check: Use `netstat -an | grep ftp` to confirm only encrypted connections are active (e.g., port 990 for FTPS).
  • Re-test: Run the earlier network capture test; no cleartext credentials should be visible.
  • Smoke test: Verify users can still connect and transfer files using SFTP or FTPS.
  • Monitoring: Monitor FTP server logs for failed connection attempts due to encryption requirements as an example.
netstat -an | grep ftp

6. Preventive Measures and Monitoring

Update security baselines and implement CI/CD checks to prevent similar issues.

  • Baselines: Update a security baseline or policy to require encryption for all FTP services (for example, CIS control 1.2).
  • Pipelines: Add static analysis tools in CI pipelines to check for insecure configurations like cleartext authentication.
  • Asset and patch process: Implement a regular patch review cycle for FTP server software.

7. Risks, Side Effects, and Roll Back

Switching protocols may require client-side updates or configuration changes.

  • Risk or side effect 2: Service interruption – downtime is possible during the switchover; plan accordingly.
  • Roll back: Restore the original FTP configuration files and restart the service to revert to the previous state.

8. References and Resources

  • Vendor advisory or bulletin: N/A – This is a protocol issue, not specific to one vendor.
  • NVD or CVE entry: CWE-522
  • Product or platform documentation relevant to the fix: Consult your FTP server software’s documentation for SFTP and FTPS configuration instructions.
Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles