Remote management vulnerability in versions before 7.6.20
Posted: Tue Nov 24, 2020 10:03 am
Official post about the issue:
https://foldingathome.org/2020/11/23/up ... gurations/
If you're using FAHControl Advanced GUI 7.6.13 or earlier to control remote folding machines over an untrusted network (i.e. without using a VPN), there is a potential "man-in-the-middle" attack that could let an attacker on the network inject code to be run on your GUI machine.
This vulnerability has been fixed in FAHControl GUI 7.6.20 and later. The actual remote folding machine client is not affected by this vulnerability.
The likelihood of someone actually exploiting this vulnerability on the network is rather low, as the attacker would have to be on your network or the networks between you and the folding machine to do this, but it's good that this has been patched. You shouldn't leave your folding machines available to the outside world anyway.
This vulnerability is more serious for cloud folders, who rent instances on services like Azure or vast.ai to fold, since before version 7.6.20 it would be possible for the cloud instance to execute code on your GUI machine. Cloud folders in particular should update their GUI control if they use it to control folding instances directly.
https://foldingathome.org/2020/11/23/up ... gurations/
If you're using FAHControl Advanced GUI 7.6.13 or earlier to control remote folding machines over an untrusted network (i.e. without using a VPN), there is a potential "man-in-the-middle" attack that could let an attacker on the network inject code to be run on your GUI machine.
This vulnerability has been fixed in FAHControl GUI 7.6.20 and later. The actual remote folding machine client is not affected by this vulnerability.
The likelihood of someone actually exploiting this vulnerability on the network is rather low, as the attacker would have to be on your network or the networks between you and the folding machine to do this, but it's good that this has been patched. You shouldn't leave your folding machines available to the outside world anyway.
This vulnerability is more serious for cloud folders, who rent instances on services like Azure or vast.ai to fold, since before version 7.6.20 it would be possible for the cloud instance to execute code on your GUI machine. Cloud folders in particular should update their GUI control if they use it to control folding instances directly.