Jacob Welsh of Fixpoint Project One Eleventy and JWRD Computing discovered a missing host key check in the Secure Shell File Transfer Protocol (SFTP) implementation in FreeFileSync (FFS), a graphical program for Windows, Mac OS X and Linux for synchronizing file collections between local and remote systems.(i) Its Secure Sockets Layer (SSL) wrapped FTP (FTPS) implementation may be similarly incomplete.
An active attacker able to intercept or redirect network traffic, perform DNS cache poisoning, or simply be allocated an IP address referenced by misconfigured or outdated clients, could exploit this flaw to impersonate the intended server, obtaining read access to the complete collection of files being synchronized. In two-way mode this would extend to read-write access to that portion of the client's filesystem ; add to this the program's unattended "batch" mode and the attack could easily go undetected.
FFS uses libssh2 for its SFTP transport, but the problem seems to be with FFS itself failing to make use of partial functionality provided by that library for host key verification.(ii)
There is no presently known fix. A partial mitigation would be to stop using DNS. A complete but clumsy workaround, if allowed by server configuration, would be to direct traffic through a secure TCP tunnel provided by a full SSH implementation.
JWRD reached out to Florian Bauer aka "Zenju", the author and publisher of the program, who acknowledged the issue, noting that
I can't give an ETA at this point, I'll first have to evaluate how an implementation could look like and how much work it is.
Regarding whether to keep the find under wraps a bit longer to give him a head start on a fix, he clarified that
I can't say when I'll have the time to have a closer look at (S)FTP server validation, so I'd say you don't need to wait.
Meanwhile, back at the ranch:
Puffy's watching!
- We were evaluating it for recommending to our customers as a secure and efficient yet novice-friendly bridge between the Windows and Linux worlds. It seemed to mostly fit the bill, though a related annoyance was the inability to generate a key pair to identify the client from within the program itself. [^]
- To improve your intuition as to the severity of the omission, imagine if an Internet-exposed file server granted read-write access to sensitive data without verifying the client's provided username and password (or key). The problem would be immediately obvious. Yet even otherwise experienced people miss entirely the very same problem when it's the client failing to verify the server's identity. Why is that ? Could it be, just maybe, that it betrays a political orientation of implicitly trusting whatever looks or sounds like a central authority, in preference to putting in the effort to evaluate things for oneself ? [^]
[...] key pair negotiated between the user and server administrator. It falls short in that it fails to authenticate the server to the client, a critical step of the security protocol and a feature whose presence any user cultured in SSH or [...]
Pingback by Freeing Windows files with FreeFileSync « Fixpoint — 2022-06-23 @ 00:53