Cyberduck and Mountain Duck TLS Certificate Pinning Vulnerability Allowing Man-in-the-Middle Attacks

A vulnerability exists in Cyberduck versions prior to 9.1.6 and Mountain Duck versions prior to 4.17.5, due to improper handling of TLS certificate pinning for untrusted certificates, such as self-signed ones. The issue arises because the certificate fingerprint is stored using SHA-1, a weak hash algorithm, instead of a more secure option like SHA-256 or SHA-512. This flaw could allow an attacker to create a hash collision, facilitating a man-in-the-middle attack on the TLS-encrypted connection and resulting in a complete loss of confidentiality and integrity.

Impact

Exploitation of this vulnerability could lead to a man-in-the-middle attack, where an attacker intercepts and potentially alters the communication between the user and the server, undermining the security of the TLS encryption.

Reproduction

To reproduce this vulnerability, connect to a WebDAV server using a self-signed certificate with Cyberduck or Mountain Duck. When prompted about the untrusted certificate, select 'Always Trust' and continue. This action will store the certificate fingerprint as SHA-1 in the application's configuration file, creating a vulnerability that could be exploited by an attacker.

Remediation

Users are advised to update to Cyberduck version 9.1.7 or Mountain Duck version 4.17.6, both of which address this vulnerability by using a stronger hashing algorithm for certificate fingerprints.