Ubuntu
qbittorrent package

UPnP should be turned off by default on focal & jammy

Bug #2071493 reported by khevans
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
qbittorrent (Ubuntu)
New
Undecided
Unassigned

Bug Description

I wanted to suggest disabling UPnP by default in the focal and jammy versions, since they're still under security maintenance. This setting was allowing attackers to run arbitrary executables via qbittorrent under the default settings and was fixed in 4.6.x and backported to 4.5.x. But focal and jammy are still using older versions.

Here's the Github issue: https://github.com/qbittorrent/qBittorrent/issues/18731

These versions are still affected shown here: https://git.launchpad.net/ubuntu/+source/qbittorrent/tree/src/base/preferences.cpp?h=ubuntu/jammy-devel#n626 and https://git.launchpad.net/ubuntu/+source/qbittorrent/tree/src/base/preferences.cpp?h=ubuntu/focal-devel#n562

Fix: https://github.com/qbittorrent/qBittorrent/pull/18832/files

The fix is just removing the preprocessor ifs so it's always default to UPnP disabled. I believe you can just cherry pick this commit but I have no idea how the Ubuntu repo tracks the Github repo.

--

I am suggesting this because at least one person is still using an older LTS (presumably) and was directly affected by this: https://github.com/qbittorrent/qBittorrent/issues/18731#issuecomment-2196436674

NOTE that this affects packages qbittorrent and qbittorrent-nox

See original description

CVE References

Revision history for this message
khevans (khevans) wrote (last edit ):

Just realized that I might've mistaken the release timelines. Both Focal and Jammy seem to be vulnerable and are in extended support and _not_ security maintenance. I assume the older LTS versions in security maintenance will also be unpatched.

In any case, the fix should get backported since some folks are inadvertently exposing themselves to a major security risk.

information type: Private Security → Public Security
khevans (khevans)
description: updated
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

tags: added: community-security
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for the report; what's the consequences of that configuration change? I'm guessing that it would remove the qbittorrent administrative interface from the public IP address of the UPnP router, with no way to re-enable it. Is that correct?

Thanks

Revision history for this message
khevans (khevans) wrote :

It's only changing the default setting after install. By default, UPnP is enabled, so the web interface may be enabled to the public with default creds. Attackers have been using this to run arbitrary executables for the past year or two.

Users can still choose to enable it. Either through the UI or config file. In the headless install (qbittorrent-nox), users can change it via the web interface locally or through the config file.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.