CVSS 9.1 CVE-2022-38337

CVSS 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

When aborting a SFTP connection, MobaXterm before v22.2 sends a hardcoded password to the server. The server treats this as an invalid login attempt which can result in a Denial of Service (DoS) for the user if services like fail2ban are used.

Description

The integrated SFTP client, which is based on SecureBlackbox, uses the hardcoded password MobaPasswordCancel to abort the login attempt on the server.

Sending a wrong password to the server closes the connection, because of a failed login attempt.

This can result in blocking the user (DoS of the user account), if tools like fail2ban are used on the server.

If the server accepts the login attempt, this can result in an information leak, because environment variables and other information are sent to the server.

This vulnerability was discovered by AUT-milCERT during an audit of MobaXterm.

Mitigation

Update MobaXterm to version >= v22.2

Release Notes v22.2

  • Bugfix: when an SFTP session is aborted, the “canceled” password is no more sent to the server

References