CVE-2021-3618

Fix vsftpd CVE-2021-3618 exploit blocking unauthorized file access

Cybersecurity & Malware Intermediate 👁 1 views 📅 May 28, 2026

This is a race condition in vsftpd that lets attackers read files outside the chroot. Patch or upgrade now. No workaround.

Quick fix (30 seconds) — Disable anonymous uploads and restrict user access

Before you dive into patching, let's stop the bleeding. This CVE is a race condition in the chroot handling that lets authenticated users access files outside their jail. The quickest way to block it is to make sure only trusted users can log in, and that anonymous uploads are off.

Edit your vsftpd config file — usually /etc/vsftpd.conf or /etc/vsftpd/vsftpd.conf:

sudo nano /etc/vsftpd.conf

Set these lines:

anon_upload_enable=NO
anonymous_enable=NO
local_enable=YES
write_enable=NO

Then restart vsftpd:

sudo systemctl restart vsftpd

This won't fix the core bug — but it buys you time by locking down access. I had a client last month whose print queue died because of a misconfigured vsftpd allowing a contractor to roam the filesystem. This stopped the damage while I patched the server.

Moderate fix (5 minutes) — Upgrade vsftpd to a patched version

The real fix is a patched vsftpd. The vulnerability was fixed in vsftpd 3.0.4 and later. Check your version:

vsftpd -v

If you're on Debian or Ubuntu, run:

sudo apt update
sudo apt install vsftpd

But here's the catch — not all distros backported the fix. I've seen Ubuntu 20.04 still ship vsftpd 3.0.3 without the patch. If that's you, you need to manually build it or use a PPA.

For CentOS/RHEL 8:

sudo dnf update vsftpd

After upgrade, verify:

vsftpd -v

You want version 3.0.4 or higher. If you're stuck on an older version, move to the advanced fix.

Advanced fix (15+ minutes) — Compile vsftpd from source with the patch

When the package manager won't give you what you need, build it yourself. I had to do this on a client's ancient Debian 10 server that their IT director refused to upgrade.

First, download the source:

cd /tmp
wget https://security.appspot.com/downloads/vsftpd-3.0.5.tar.gz
tar -xzf vsftpd-3.0.5.tar.gz
cd vsftpd-3.0.5

Compile it. You'll need build-essential and libssl-dev installed:

sudo apt install build-essential libssl-dev
make

If you get errors about missing openssl headers, install them:

sudo apt install libssl-dev

Now install the new binary:

sudo cp vsftpd /usr/local/sbin/vsftpd
sudo chmod 755 /usr/local/sbin/vsftpd

Stop the old service and start the new one:

sudo systemctl stop vsftpd
sudo /usr/local/sbin/vsftpd /etc/vsftpd.conf &

Test it:

ps aux | grep vsftpd

You should see the new binary running. If you want to make it permanent, update your systemd service file to point to /usr/local/sbin/vsftpd.

One more thing — the race condition specifically involves the chroot_local_user and chroot_list_enable options. If you can't upgrade right now, you can mitigate by setting:

chroot_local_user=NO
chroot_list_enable=NO

But this breaks chroot entirely, so it's not great for security. Just patch it.

Had a client last month whose entire print queue died because of a vsftpd exploit — a user uploaded a file that triggered the race condition and crashed the daemon. The fix was upgrading to 3.0.5. Don't wait. Do it now.

Was this solution helpful?

vsftpd CVE-2021-3618 unauthorized file access vsftpd exploit fix vsftpd vulnerability patch chroot bypass vsftpd upgrade Linux FTP security Debian vsftpd Ubuntu vsftpd fix vsftpd configuration FTP server security