A severe security vulnerability in qBittorrent, affecting versions 3.2.1 through 5.0.0, has been discovered that allowed attackers to perform remote code execution (RCE) through multiple attack vectors.
The flaw, which has gone unnoticed since April 2010, allows attackers to inject malicious scripts and execute arbitrary code on affected systems.
The vulnerability stems from qBittorrent’s DownloadManager
class, which has ignored SSL certificate validation errors for nearly 15 years.
Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo
This oversight means that the software has been accepting any certificate, whether expired, self-signed, or malicious, facilitating man-in-the-middle (MITM) attacks. Here are the key areas where this vulnerability could be exploited:
- Malicious Executable Loader: On Windows, qBittorrent prompts users to install or update Python from a hardcoded URL if the search plugin requires it. This process downloads, executes, and then deletes an executable file, which can be hijacked to run malicious software.
- Browser Hijacking: qBittorrent checks for updates by downloading an RSS feed from a hardcoded URL. If manipulated, this feed can direct users to download a malicious executable, disguised as an update.
- RSS Feed Injection: RSS feeds are parsed without proper validation, allowing attackers to inject arbitrary URLs, which, when clicked, could lead to the download or execution of malicious content.
- Decompression Library Exploits: The automatic download and decompression of MaxMind GeoIP database files could be exploited if vulnerabilities exist in the decompression libraries, such as the buffer overflow issue in zlib.
The default behavior of qBittorrent was changed to include SSL certificate verification with commit 3d9e971 on October 12, 2024, and the first patched release, version 5.0.1, was released only two days ago. However, users of older versions are still at risk. Here are some recommended mitigations:
- Upgrade to Latest Version: Users should immediately upgrade to version 5.0.1 or later, which includes the necessary security fixes.
- Alternative Torrent Clients: Consider switching to other torrent clients like Deluge or Transmission, which do not have this vulnerability.
This vulnerability puts users at risk of various forms of attacks, from malware infection to data theft, especially since qBittorrent’s extensive use makes it a prime target. The lack of certificate validation allowed attackers to perform MITM attacks without the usual complexities, making surveillance and exploitation easier.
The discovery of this critical vulnerability in qBittorrent underscores the importance of regular software updates and the need for robust security measures in widely-used applications. Users are urged to remain vigilant, update their software, and consider safer alternatives until widespread patches are deployed.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!