Cyber security specialists from the Military Cyber Center have found a security vulnerability in the file manager program “Midnight Commander” that has existed for nine years.
When developing software, it is not uncommon for security vulnerabilities to arise due to programming errors. In most cases, however, these are found and rectified within a short period of time. However, it also happens that such vulnerabilities remain undiscovered for several years. This was the case with the “Midnight Commander” file manager, where Manfred Kaiser from the “Austrian Military Computer Emergency Readiness Team” (AUT-milCERT) found a vulnerability that had existed for nine years. The “Midnight Commander” program is one of the best-known console applications under the Linux operating system. It is a visual file manager with which it is possible to copy, move or delete files or even entire folder structures – not only locally on a computer, but also within a network. The program uses a specific protocol for data transfer, which is based on an encrypted network protocol. In order to ensure that a computer only communicates with a specific remote station, the computer is required to check the so-called fingerprint. This is used to identify computers within a network and is made up of a unique character string. If this verification is missing, an attacker could redirect the data to another computer without the user noticing.
Fingerprint verification was not implemented in “Midnight Commander”, which is why it was possible to establish a connection to another computer without verifying its identity. This made the program vulnerable to so-called “man in the middle” attacks, in which an attacker can read the transmitted files but also manipulate them. The “Austrian Military Computer Emergency Readiness Team” regularly carries out security checks to identify vulnerabilities in its own systems or in so-called “open source software”. The vulnerability was discovered during one of these checks and reported to the developers. The bug was fixed immediately, it is therefore recommended to update the existing version of “Midnight Commander”.
