CVE-2021-36370: 
CBL Mariner vulnerability analysis and mitigation

An issue was discovered in Midnight Commander through version 4.8.26 (CVE-2021-36370). When establishing an SFTP connection, the fingerprint of the server is neither checked nor displayed, resulting in users connecting to servers without the ability to verify their authenticity. The vulnerability was discovered and reported by Manfred KAISER from AUT-milCERT during an audit of open source software (GNOME Archives).

The vulnerability stems from a design flaw in the SFTP VFS (Virtual File System) implementation where server fingerprints were computed but not verified during connection establishment. The issue received a CVSS v3.1 Base Score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating network accessibility, low attack complexity, and high impact on integrity (NVD).

The vulnerability allows an attacker to potentially perform man-in-the-middle attacks, as users have no way to verify the authenticity of the SFTP server they are connecting to. This could lead to unauthorized access to sensitive information or compromise of data integrity during file transfers (GNOME Archives).

The issue was fixed in Midnight Commander version 4.8.27. Users are strongly recommended to upgrade to this version or later to address the security vulnerability. The fix implements proper server fingerprint verification during SFTP connections (GNOME Archives).

The vulnerability was responsibly disclosed by AUT-milCERT, and the Midnight Commander development team promptly addressed the issue. The project team acknowledged and thanked AUT-milCERT for finding and responsibly disclosing the vulnerability (GNOME Archives).