CVE-2021-46854: 
ProFTPd vulnerability analysis and mitigation

CVE-2021-46854 affects the mod_radius component in ProFTPD versions before 1.3.7c. The vulnerability was discovered in 2021 and publicly disclosed on November 23, 2022. The issue allows memory disclosure to RADIUS servers because it copies blocks of 16 characters during password authentication (NVD, Gentoo Security).

The vulnerability occurs in modradius when it copies the client-supplied password into a temporary buffer to encrypt it with the RADIUS shared secret. The module follows padding rules that require the password length to be a multiple of 16. When the password length is not an exact multiple, modradius copies the 'rounded up' count of bytes from the password buffer into the temporary buffer, thereby leaking memory contents beyond the actual password. For FTP sessions, this often results in a copy of the password itself, preceded by some null bytes and followed by arbitrary memory contents (GitHub Issue). The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows RADIUS servers used for authentication to receive unauthorized contents of the ProFTPD process's memory. This could potentially expose sensitive information that resides in the process memory (Gentoo Security).

The vulnerability was fixed in ProFTPD version 1.3.7c. Users are advised to upgrade to this version or later. There are no known workarounds for this vulnerability other than upgrading to a patched version (Gentoo Security, Release Notes).