Cyberduck and Mountain Duck Improper TLS Certificate Handling Vulnerability

A vulnerability exists in Cyberduck versions prior to 9.1.6 and Mountain Duck versions prior to 4.17.5, where the applications improperly manage TLS certificate pinning for untrusted certificates, such as self-signed ones. This flaw allows these certificates to be installed in the Windows Certificate Store for the current user without any restrictions. As a result, other programs that rely on this certificate store could be misled into trusting these certificates for various purposes, potentially enabling attacks that bypass certificate-based authentication or authorization.

Impact

Exploiting this vulnerability could lead to unauthorized trust in self-signed certificates, allowing for server authentication, code signing, or machine-in-the-middle attacks, depending on the context.

Reproduction

To reproduce this vulnerability, connect to a WebDAV server using a self-signed certificate with Cyberduck or Mountain Duck. When prompted about the untrusted certificate, select 'Always Trust' and continue. This action installs the certificate in the Windows Certificate Store's 'Trusted Root Certification Authorities' for the current user, with its 'Intended Purposes' set to 'All'. Afterward, both the certificate store and the application's configuration file will reflect the accepted certificate, establishing a trust that can be exploited.

Remediation

Users are advised to update to Cyberduck version 9.1.7 or Mountain Duck version 4.17.6, both of which address this vulnerability by changing how certificates are handled. The updated versions no longer install untrusted certificates into the Windows Certificate Store, but instead, store the certificate fingerprints in the application's own configuration files.