CVE-2024-46483: 
Xlight FTP Server vulnerability analysis and mitigation

CVE-2024-46483 is a critical integer overflow vulnerability affecting Xlight FTP Server versions prior to 3.9.4.3. The vulnerability exists in the packet parsing logic of the SFTP server component, which can lead to a heap overflow with attacker-controlled content. This pre-authentication vulnerability was disclosed on October 22, 2024, and received a CVSS score of 9.8 (Critical) from CISA-ADP (NVD, Censys).

The vulnerability stems from an integer overflow in the function that reads strings from network packets in the SFTP protocol. When validating string lengths and allocating memory, the function fails to properly handle four-byte length prefixes. This can trigger a large memmove operation (~4GB) from an attacker-controlled buffer out-of-bounds onto the heap. The vulnerability can be exploited during the SSH handshake process, including pre-authentication stages when receiving supported algorithms, cipher suites, and user credentials (GitHub).

The impact varies depending on the version of Xlight FTP Server being used. For 32-bit versions, attackers can overwrite critical data structures on the heap, potentially leading to code execution. In 64-bit versions, while code execution is less likely, the vulnerability can still cause system crashes resulting in denial of service. Censys research identified approximately 3,520 exposed Xlight FTP Servers online, with 45% running vulnerable versions (Censys).

Users of Xlight FTP Server versions 3.9.4.2 and earlier are strongly urged to update to version 3.9.4.3 or later immediately. Organizations with public-facing Xlight FTP Server instances should check for indicators of compromise and avoid exposing network device admin portals on the public internet (Censys).