qBittorrent fixed a remote code execution bug caused by SSL/TLS certificates not being verified in the app’s DownloadManager, a component that manages downloads. The serious bug, which appeared on April 6, 2010, was fixed with the newly released version 5.0.1, more than 14 years later.qBittorrent is a free and open source client for downloading and sharing files via the BitTorrent protocol. It has become popular with its cross-platform structure, IP filtering, integrated search engine, RSS feed support and modern Qt-based interface. However, as security researcher Sharp Security points out on its blog, the qBittorrent team fixed a critical bug without adequately informing users and assigning a CVE for the issue.
Which security vulnerability has been closed in qBittorrent?
The main problem is that since 2010 qBittorrent accepts all types of certificates, including fake/illegal certificates; In this way, it allows attackers acting as intermediaries to change network traffic.
SSL certificates help ensure that users can securely connect to valid servers by verifying that the server’s certificate is real and trusted by a Certificate Authority (CA). When this verification is bypassed, any server pretending to be the current server can interrupt, modify, or append data in the data stream; qBittorrent also relies on this data.
The setting that governs whether the app accepts a connection without SSL certificate verification is still accessible to users. This setting can also be disabled.
62670
