FastNetMon Community Edition Missing TLS Certificate Validation Vulnerability

A vulnerability exists in FastNetMon Community Edition versions through 1.2.9, where the application fails to properly validate TLS certificates for outbound HTTPS connections. This issue arises in the 'execute_web_request_secure()' function within 'src/fast_library.cpp'. The function sets up a Boost.Asio SSL context for the TLS client, loads CA certificates, but neglects to enable verification of the server's certificate chain. As a result, all HTTPS connections are susceptible to man-in-the-middle attacks. This vulnerability affects the telemetry reporting feature, which sends system information to 'community-stats.fastnetmon.com'. An attacker could intercept, modify, or redirect this data to a malicious server.

Impact

Exploitation allows interception and modification of telemetry data sent to 'community-stats.fastnetmon.com', which includes sensitive system information. An attacker could also redirect this data to a malicious server.

Reproduction

The vulnerability can be reproduced by using FastNetMon Community Edition versions through 1.2.9. The 'execute_web_request_secure()' function will set up a TLS connection to 'community-stats.fastnetmon.com' without verifying the server's certificate. This can be done by enabling the 'community_stats_enable' option in the FastNetMon configuration file, which will initiate the unverified HTTPS connection when the application is run.

Remediation

Users can disable the telemetry feature by setting 'community_stats_enable' to 'false' in the FastNetMon configuration file. Alternatively, if a forward proxy is available, it can be used to properly validate the TLS connection before it reaches 'community-stats.fastnetmon.com'.