SurgeFTP contains a flaw that may allow a remote denial of service. The issue is triggered when receiving the LEAK command, SurgeFTP will call the cmd_leak() function. cmd_leak() will in turn call the mgr_cmd_openmore() function. mgr_cmd_openmore() will open the file "a.a_write" 925 times, thus potentially causing the process to run out of file handles, and will result in loss of availability for the server.
Upgrade to version 2.2m2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
Discovery is credited to <email@example.com>.
NetWin SurgeFTP 2.2 m1
NetWin SurgeFTP 2.2 k3
SurgeFTP is prone to a denial of service condition. This issue exists when the LEAK command is issued to the FTP server. Successful exploitation will cause the FTP server to either refuse new connections or not be able to send or receive files.
There is no exploit code required.
This issue was reportedly fixed by the vendor in SurgeFTP 2.2m2, however, this has not been confirmed by Symantec.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.