CCE-92420-9Platform: cpe:/o:oracle:linux:7 | Date: (C)2019-11-07 (M)2023-07-04 |
Is there a mission-critical reason for users to transfer files to/from their own accounts using FTP, rather than
using a secure protocol like SCP/SFTP? If not, edit the vsftpd configuration file. Add or correct the following configuration option:
'local_enable=NO'
If non-anonymous FTP logins are necessary, follow the guidance in the remainder of this section to secure
these logins as much as possible.
Parameter:
[yes/no]
Technical Mechanism:
The use of non-anonymous FTP logins is strongly discouraged. Since SSH clients and servers are widely available, and since SSH provides support for a transfer mode which resembles FTP in user interface, there is no good reason to allow password-based FTP access.
CCSS Severity: | CCSS Metrics: |
CCSS Score : 9.8 | Attack Vector: NETWORK |
Exploit Score: 3.9 | Attack Complexity: LOW |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: CRITICAL | User Interaction: NONE |
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:49362 |