Article Details
Scrape Timestamp (UTC): 2024-10-31 15:14:42.591
Original Article Text
Click to Toggle View
qBittorrent fixes flaw exposing users to MitM attacks for 14 years. qBittorrent has addressed a remote code execution flaw caused by the failure to validate SSL/TLS certificates in the application's DownloadManager, a component that manages downloads throughout the app. The flaw, introduced in a commit on April 6, 2010, was eventually fixed in the latest release, version 5.0.1, on October 28, 2024, more than 14 years later. qBittorrent is a free, open-source client for downloading and sharing files over the BitTorrent protocol. Its cross-platform nature, IP filtering, integrated search engine, RSS feed support, and modern Qt-based interface have made it particularly popular. However, as security researcher Sharp Security highlighted in a blog post, the team fixed a notable flaw without adequately informing the users about it and without assigning a CVE to the problem. One problem, multiple risks The core issue is that since 2010, qBittorrent accepted any certificate, including forged/illegitimate, enabling attackers in a man-in-the-middle position to modify network traffic. "In qBittorrent, the DownloadManager class has ignored every SSL certificate validation error that has ever happened, on every platform, for 14 years and 6 months since April 6 2010 with commit 9824d86," explains the security researcher. "The default behaviour changed to verifying on October 12 2024 with commit 3d9e971. The first patched release is version 5.0.1, released 2 days ago. SSL certificates help ensure that users connect securely to legitimate servers by verifying that the server's certificate is authentic and trusted by a Certificate Authority (CA). When this validation is skipped, any server pretending to be the legitimate one can intercept, modify, or insert data in the data stream, and qBittorrent would trust this data. Sharp Security highlights four main risks that arise from this issue: The researcher comments that MitM attacks are often seen as unlikely, but they could be more common in surveillance-heavy regions. The latest version of qBittorrent, 5.0.1, has addressed the above risks, so users are recommended to upgrade as soon as possible.
Daily Brief Summary
qBittorrent, a popular open-source BitTorrent client, has patched a remote code execution vulnerability present for over 14 years.
The flaw stemmed from DownloadManager's failure to properly validate SSL/TLS certificates, risking man-in-the-middle (MitM) attacks.
Introduced in a commit from April 2010, the vulnerability was only rectified in the recent release of version 5.0.1 on October 28, 2024.
The security lapse allowed any forged or illegitimate certificate to be accepted, enabling attackers to potentially intercept or alter user data.
The issue was highlighted by Sharp Security in a blog post, noting that the qBittorrent team did not assign a CVE number or adequately inform users about the fix.
Sharp Security outlined multiple risks from this flaw, emphasizing its impact particularly in areas subject to heavy surveillance.
Users are urged to update to the latest version, 5.0.1, to mitigate these risks and ensure secure file sharing and downloading through the application.