Vendor of Product: TRENDnet

Affected Product and Version: TPL-430AP FW1.0

Description: In TRENDnet TPL-430AP FW1.0, the USERLIMIT_GLOBAL property is set to 0 in the bftpd-related configuration file. This can cause DoS attacks when unlimited users are connected.

Detail:

In the TRENDnet TPL-430AP firmware, the partial content of /etc/bftpd.conf is as follows.

USERLIMIT_GLOBAL="0"

The official documentation of bftpd (https://bftpd.sourceforge.net/doc/en/bftpddoc-en-6.html) states the following requirements.

Name: USERLIMIT_GLOBAL
Description: The number of users that can be logged in at the same time. If set to "0", an unlimited users will be able to connect. This is not recommended, as it makes DoS attacks possible, even if the clients are kicked after a short time.

Values:
"0" - (zero) default. This is not recommended.
On most small servers, the connection limit should probably be below twenty ("20") but above five ("5").

Clearly, there is a misconfiguration vulnerability here. This can cause DoS attacks when unlimited users are connected.