qBittorrent has resolved a remote code execution vulnerability that arose from the inadequate validation of SSL/TLS certificates within the application’s DownloadManager, which is responsible for managing downloads across the platform. This vulnerability, first introduced in a commit dated April 6, 2010, was ultimately rectified in the most recent release, version 5.0.1, on October 28, 2024, after a span of over 14 years. qBittorrent is a free and open-source client designed for downloading and sharing files via the BitTorrent protocol. Its appeal is enhanced by features such as cross-platform compatibility, IP filtering, an integrated search engine, RSS feed support, and a contemporary Qt-based interface.
One problem, multiple risks
The fundamental problem lies in the fact that since 2010, qBittorrent has accepted all certificates, including those that are forged or illegitimate, thereby allowing attackers in a man-in-the-middle position to alter network traffic.
According to a security researcher, “In qBittorrent, the DownloadManager class has disregarded every SSL certificate validation error that has occurred across all platforms for a duration of 14 years and 6 months, starting from April 6, 2010, with commit 9824d86.”
The default behavior was modified to include verification on October 12, 2024, with commit 3d9e971, and the first patched version is 5.0.1, which was released two days ago.
SSL certificates are crucial for ensuring that users connect securely to legitimate servers by confirming the authenticity and trustworthiness of the server’s certificate through a Certificate Authority (CA). When this validation is bypassed, any server masquerading as the legitimate one can intercept, alter, or inject data into the data stream, and qBittorrent would erroneously trust this data.
Sharp Security identifies four primary risks associated with this vulnerability:
1. When Python is not available on Windows, qBittorrent prompts users to install it via a hardcoded URL leading to a Python executable. Due to the absence of certificate validation, an attacker could intercept this request and replace the response with a malicious Python installer capable of executing remote code.
2. qBittorrent checks for updates by retrieving an XML feed from a hardcoded URL and parsing it for a new version’s download link. Without SSL validation, an attacker could insert a malicious update link into the feed, leading users to download harmful payloads.
3. The DownloadManager in qBittorrent is also utilized for RSS feeds, which allows attackers to intercept and modify the content of the RSS feed, injecting malicious URLs that appear to be legitimate torrent links.
4. qBittorrent automatically downloads a compressed GeoIP database from a hardcoded URL and decompresses it, creating opportunities for potential memory overflow vulnerabilities through files obtained from a spoofed server.
The researcher notes that while man-in-the-middle attacks are often perceived as improbable, they are indeed a significant threat.