Notes on CVE-2024-5806
The recently disclosed vulnerability detailed in CVE-2024-5806, published on June 25th 2024, describes behavior in the SFTPServer component of IPWorks SSH (.NET Edition), where unintended file access or network path requests may be made without the user's knowledge.
While we have verified situations where this happens (and patched the code accordingly), we believe that the scenarios described in the CVE are extreme and unlikely to arise in real world applications.
CVE Scenario Artificially Bypasses Authentication
The described behavior occurs only after a developer has accepted the user's credentials without verification. In real world applications, the user's credentials would be inspected by the code, and the code would have the opportunity to accept or deny access to the remote user, thus preventing unintended access.
The code sample used by the security researcher accepts the remote user unconditionally, effectively telling the component it is safe to read the associated certificate and verify the corresponding signatures using its keys.
The steps described in the CVE use a sample project included in the IPWorks SSH package to illustrate the behavior. Such samples are designed for clarity and explicitly omit various steps normally required in production applications.
Below is the code in question. Note the comment about the demo accepting all users - emphasis added:
// Here is where you would check that the "user" and "password"
// arguments match e.User and e.AuthParam respectively.
// *** FOR PURPOSES OF THIS DEMO ALL USERS ARE ACCEPTED ***
e.Accept = true;
The unintended file access request occurs only after the developer has accepted the user's credentials.
Nonetheless, out of an abundance of caution, we recommend that all applications are updated to address potential vulnerabilities. We have taken steps to prevent all unintended file and network access requests in an update which is now available on our website and in NuGet.
SFTP Server Application Not Affected
This vulnerability does not impact our SFTP Server application. We have done extensive testing and code review during the past few days and have found no issues.
We continue to explore other areas where this issue may potentially arise and will provide additional updates as necessary.
We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@nsoftware.com.