CVSS 7.5 CVE-2021-36370

CVSS 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

An issue was discovered in Midnight Commander through 4.8.26. When establishing an SFTP connection, the fingerprint of the server is neither checked nor displayed. As a result, a user connects to the server without the ability to verify its authenticity.

Affected Software:

• Midnight Commander 4.8.4 - 4.8.26

Description

Midnight Commander from version 4.8.4 up to 4.8.26 does not verify the host fingerprint when connecting to a server using the SFTP VFS.

The SFTP VFS was introduces in 2012 as an addition to the shell connection, which uses FISH.

The problem was, that the host fingerprint was caclucated, but not verified. Instead it continued with the authentication step, which makes SFTP connections vulnerable to man in the middle attacks.

/* At this point we havn't yet authenticated.  The first thing to do
 * is check the hostkey's fingerprint against our known hosts Your app
 * may have it hard coded, may go to a file, may present it to the
 * user, that's your call
 */
sftpfs_super->fingerprint =
libssh2_hostkey_hash (sftpfs_super->session, LIBSSH2_HOSTKEY_HASH_SHA1);

if (!sftpfs_recognize_auth_types (super))
{
    int sftp_errno;

    sftp_errno = libssh2_session_last_errno (sftpfs_super->session);
    sftpfs_ssherror_to_gliberror (sftpfs_super, sftp_errno, mcerror);
    return (-1);
}

Release Announcement

Note

Hi there,

I’m glad to announce the immediate availability of mc-4.8.27, a maintenance and security release, just in time before leaving all of you for a long overdue summer vacation!

This release addresses an important security issue (CVE-2021-36370) in the SFTP VFS. Unfortunately, as the VFS was first introduced, the fingerprints of remote hosts were computed, but not verified, and the issue reported only now by Manfred KAISER from AUT-milCERT during an audit of open source software. We would like to thank the team at AUT-milCERT for finding the issue and responsibly disclosing it!

…

• – Sincerely yours,

Yury V. Zaytsev

Source: https://mail.gnome.org/archives/mc-devel/2021-August/msg00008.html

Mitigation

Update Midnight Commander to version >= 4.8.27

If updating to the latest version is not possible, the shell connection (FISH) can be used for remote file operations over ssh.

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-36370

• https://midnight-commander.org/wiki/NEWS-4.8.27

• https://mail.gnome.org/archives/mc-devel/2021-August/msg00008.html

• MidnightCommander/mc

• MidnightCommander/mc

• https://www.bundesheer.at/cms/artikel.php?ID=11021