qBittorrent has addressed a distant code execution flaw attributable to the failure to validate SSL/TLS certificates within the software’s DownloadManager, a part that manages downloads all through the app.
The flaw, launched in a commit on April 6, 2010, was ultimately fastened within the newest launch, model 5.0.1, on October 28, 2024, greater than 14 years later.
qBittorrent is a free, open-source shopper for downloading and sharing recordsdata over the BitTorrent protocol. Its cross-platform nature, IP filtering, built-in search engine, RSS feed help, and trendy Qt-based interface have made it significantly fashionable.
Nevertheless, as safety researcher Sharp Safety highlighted in a weblog publish, the crew fastened a notable flaw with out adequately informing the customers about it and with out assigning a CVE to the issue.
One downside, a number of dangers
The core difficulty is that since 2010, qBittorrent accepted any certificates, together with cast/illegitimate, enabling attackers in a man-in-the-middle place to change community visitors.
“In qBittorrent, the DownloadManager class has ignored each SSL certificates validation error that has ever occurred, on each platform, for 14 years and 6 months since April 6 2010 with commit 9824d86,” explains the safety researcher.
“The default behaviour modified to verifying on October 12 2024 with commit 3d9e971. The primary patched launch is model 5.0.1, launched 2 days in the past.
SSL certificates assist be sure that customers join securely to legit servers by verifying that the server’s certificates is genuine and trusted by a Certificates Authority (CA).
When this validation is skipped, any server pretending to be the legit one can intercept, modify, or insert information within the information stream, and qBittorrent would belief this information.
Sharp Safety highlights 4 important dangers that come up from this difficulty:Â
- When Python is unavailable on Home windows, qBittorrent prompts the person to put in it by way of a hardcoded URL pointing to a Python executable. Because of the lack of certificates validation, an attacker intercepting the request can change the URL’s response with a malicious Python installer that may carry out RCE.
- qBittorrent checks for updates by fetching an XML feed from a hardcoded URL then parses the feed for a brand new model’s obtain hyperlink. Missing SSL validation, an attacker may substitute a malicious replace hyperlink within the feed, prompting the person to obtain malicious payloads.
- qBittorrent’s DownloadManager can be used for RSS feeds, enabling attackers to intercept and modify the RSS feed content material and inject malicious URLs posing as protected torrent hyperlinks.
- qBittorrent mechanically downloads a compressed GeoIP database from a hardcoded URL and decompresses it, permitting the exploitation of potential reminiscence overflow bugs by way of recordsdata fetched from a spoofed server.
Supply: Sharp Safety
The researcher feedback that MitM assaults are sometimes seen as unlikely, however they could possibly be extra widespread in surveillance-heavy areas.
The most recent model of qBittorrent, 5.0.1, has addressed the above dangers, so customers are advisable to improve as quickly as potential.
