qBittorrent has addressed a distant code execution flaw attributable to the failure to validate SSL/TLS certificates within the utility’s DownloadManager, a part that manages downloads all through the app.
The flaw, launched in a commit on April 6, 2010, was finally fastened within the newest launch, model 5.0.1, on October 28, 2024, greater than 14 years later.
qBittorrent is a free, open-source shopper for downloading and sharing information over the BitTorrent protocol. Its cross-platform nature, IP filtering, built-in search engine, RSS feed help, and trendy Qt-based interface have made it significantly well-liked.
Nevertheless, as safety researcher Sharp Safety highlighted in a weblog put up, the workforce fastened a notable flaw with out adequately informing the customers about it and with out assigning a CVE to the issue.
One downside, a number of dangers
The core challenge is that since 2010, qBittorrent accepted any certificates, together with cast/illegitimate, enabling attackers in a man-in-the-middle place to change community visitors.
“In qBittorrent, the DownloadManager class has ignored each SSL certificates validation error that has ever occurred, on each platform, for 14 years and 6 months since April 6 2010 with commit 9824d86,” explains the safety researcher.
“The default behaviour modified to verifying on October 12 2024 with commit 3d9e971. The primary patched launch is model 5.0.1, launched 2 days in the past.
SSL certificates assist be certain that customers join securely to professional servers by verifying that the server’s certificates is genuine and trusted by a Certificates Authority (CA).
When this validation is skipped, any server pretending to be the professional one can intercept, modify, or insert knowledge within the knowledge stream, and qBittorrent would belief this knowledge.
Sharp Safety highlights 4 primary dangers that come up from this challenge:
- When Python is unavailable on Home windows, qBittorrent prompts the consumer to put in it through a hardcoded URL pointing to a Python executable. Because of the lack of certificates validation, an attacker intercepting the request can substitute the URL’s response with a malicious Python installer that may carry out RCE.
- qBittorrent checks for updates by fetching an XML feed from a hardcoded URL then parses the feed for a brand new model’s obtain hyperlink. Missing SSL validation, an attacker might substitute a malicious replace hyperlink within the feed, prompting the consumer to obtain malicious payloads.
- qBittorrent’s DownloadManager can also be used for RSS feeds, enabling attackers to intercept and modify the RSS feed content material and inject malicious URLs posing as protected torrent hyperlinks.
- qBittorrent routinely downloads a compressed GeoIP database from a hardcoded URL and decompresses it, permitting the exploitation of potential reminiscence overflow bugs through information fetched from a spoofed server.
Supply: Sharp Safety
The researcher feedback that MitM assaults are sometimes seen as unlikely, however they might be extra widespread in surveillance-heavy areas.
The newest model of qBittorrent, 5.0.1, has addressed the above dangers, so customers are advisable to improve as quickly as doable.