Cyberduck 4.4.3 (14140 Windows) X.509 Validation Failure

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2014-004  
Product: Cyberduck  
Affected Version(s): 4.4.3 (14140) (Windows only)  
Not Affected Versions(s): 4.4.3 (14140) and 4.2.1 (9350) (both OS X  
10.9.2)  
Tested Version(s): 4.4.3 (Windows 7 32 bit and Windows 8.1 64 bit)  
Vulnerability Type: X.509 validation  
Risk Level: Medium  
Solution Status: Fixed  
Vendor Notification: 2014-04-08  
Solution Date: 2014-04-10  
Public Disclosure: 2014-05-06  
CVE Reference: CVE-2014-2845  
Author of Advisory: Micha Borrmann (SySS GmbH)  
  
Overview:  
Cyberduck (Windows versions only) accepts X.509 server certificate  
from any CA, also if they are not in the certificate store and not  
sent from the FTP server; only self-signed certificates are not accepted.  
  
Vulnerability Details:  
A user can not recognize an easy to perform man-in-the-middle attack,  
because the client does not validate the certificate chain of the  
servers X.509 certificate. In a networking environment that is not  
trustworthy, like a wifi network, using FTP AUTH TLS with Cyberduck  
the servers identity can not be trusted.  
  
Proof of Concept (PoC):  
With OpenSSL generate a key for a CA and for the server and create the  
certificates:  
  
openssl genrsa -out ca4096.key 4096  
openssl genrsa -out 2048.key 2048  
chmod 400 *.key  
mkdir demoCA  
mkdir demoCA/newcerts  
touch demoCA/index.txt  
echo ffaabb > demoCA/serial  
openssl req -key ca4096.key -out ca4096.crt -new -x509 -subj  
"/C=DE/ST=BW/L=/O=SYSS/OU=/CN=CA" -days 3652  
openssl req -key 2048.key -out 2048.csr -new -subj  
"/C=DE/ST=BW/L=/O=SYSS/OU=/CN=www.google.ch" -days 365  
openssl ca -keyfile ca4096.key -cert ca4096.crt -in 2048.csr -out  
2048.crt -days 365  
  
Put the key (2048.key) and the X.509 certificate (2048.crt) to a  
ProFTP server and modify the configuration  
  
<IfModule mod_tls.c>  
TLSEngine on  
TLSLog /var/log/proftpd/tls.log  
TLSProtocol SSLv23  
TLSRSACertificateFile /etc/ssl/2048.crt  
TLSRSACertificateKeyFile /etc/ssl/2048.key  
TLSVerifyClient off  
TLSRequired on  
</IfModule>  
  
Perform a DNS spoofing for www.google.ch and use Cyberduck to access  
this system with FTP-SSL (Explicit AUTH TLS).  
  
Solution: Upgrade to Cyberduck 4.4.4  
  
Disclosure Timeline:  
  
April 08, 2014 - Vulnerability discovered  
April 08, 2014 - Vulnerability reported to vendor  
April 08, 2014 - First Vendor response  
April 10, 2014 - Bug was confirmed and fixed by the vendor  
April 10, 2014 - Bugfix could be confirmed with Cyberduck 4.4.4 (14478)  
April 24, 2014 - Cyberduck 4.4.4 (14505) was released [1]  
  
References:  
[1] https://cyberduck.io/changelog/  
  
Credits:  
Security vulnerability found by Micha Borrmann of the SySS GmbH.  
  
Disclaimer:  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory  
may be updated in order to provide as accurate information as  
possible. The latest version of this security advisory is available on  
the SySS web site.  
  
Copyright:  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIcBAEBCgAGBQJTaKnfAAoJEPxn66kbURKKz48QAJ40OgXXHW92wgtxZz2vhWOD  
XfD2CFs/BeYqS9eKfMOHhnmIYqX756oknm/05pU8McJfp2JGsKOnmXSJhp+68lU9  
EC8hyq9RWEdOO0xQcVTzxmcqJgSCfvKm/G0KOVwWk9UnT84I6IX9eDCKWJUQVHuH  
8bv2BqqhCRjHOhjyoBiWmkxsgMYTBqcqrBKmvUpqfYf5+yQHUWAtxUM5de0u7m3+  
10cgLV+QKOXQ2AM3s59rQ8cyymohe/OLr9ZXbhIXRPndc23aWCy8fUNBXeplzLag  
u26VjrvL1e5RWBL/VsSpsg9KdNb/VcSKgAOOWznpfL7uT0HN4kh6kgwAz+h2SchS  
DoTRKlrMOGiZr5ZwiX8D6ZRPC6RA3a+lnMuKMVv1/WyuedU+lmHhLG1lv/md/jPr  
UQnfHT4JqTFRyjD1QGKQjtZqMwJ8WG7zrANVSKetx7nUrOef6ABynSCTEI74i8OA  
Avrh6PWyjqXI4kQd0y+dAI0qCjnBwU0slXkrA+V4FYHrpWv6cc87OefiUW4jX0a6  
kzEEU6ry1f7gTMu97w2kPzbxKCXaaiDeHJ7Hal5mP3GmFuTMypkYP+ykIVZYgBL7  
Moxo47NMuLC1JhXLeVqLqA3gtfqZRCApyQ/Qh8TkWl6WZQOAHoPbu7yjl+MXoI8W  
r5dXLS4tJ+hdOCaNsLHj  
=QZy5  
-----END PGP SIGNATURE-----  
`