OVERVIEW OF THE VULNERABILITY AND EXPLOIT
A flaw in the popular ProFTPD FTP server potentially allows unauthenticated attackers to compromise a server. The problem is caused by a buffer overflow in the pr_netio_telnet_gets() function for evaluating TELNET IAC sequences.
ProFTPD bug report: #3521
DETAILS ON THE VULNERABILITY AND EXPLOIT
ProFTPD is capable of processing TELNET IAC sequences on port 21; the sequences enable or disable certain options not supported by the Telnet or FTP protocol itself. The buffer overflow allows attackers to write arbitrary code to the application’s stack and launch it. Updating to version 1.3.3c of ProFTPD solves the problem. The update also fixes a directory traversal vulnerability which can only be exploited if the "mod_site_misc" module is loaded. This flaw could allow attackers with write privileges to leave their permitted path and delete directories or create symbolic links outside of the path. The module is not loaded or compiled by default.
DETAILS ON THE MICRO-UPDATE FOR ProFTPD 1.3.2 VERSION
Parallels has used its micro-update patch functionality in Plesk 9.5x, Plesk 10, and Small Business Panel 10.2 to fix this exploit. You can find instruction about micro-updates insatllation in article Using Micro-Updates in Parallels Plesk Panel 9.x, 10.x and Parallels Small Business Panel. But micro-updates do not change version of Parallels Plesk Packages packages. Therefore security scanners may arise an alert if they determine the old build of ProFTPD 1.3.2 version.
In case of arising security scanners alerts you may check that micro-update is really installed on your Parallels Plesk Panel server with using corresponding instruction - How to verify fixed proftpd was installed after installation of microupdate in Parallels Plesk Panel 9.5.2. 9.5.3 and 10.0.1
If you see that micro-update for described ProFTPD Remote Code Execution Vulnerability and Exploit has been successfully installed on your server you can consider this security scanner alert as reaction on old build of ProFTPD 1.3.2 version but not as real security problem alert.