Fetch Softworks Fetch FTP Client 5.8 Remote CPU Consumption (Denial of Service)
Title: Fetch Softworks Fetch FTP Client 5.8 Remote CPU Consumption (Denial of Service)
Advisory ID: ZSL-2022-5696
Type: Local/Remote
Impact: DoS
Risk: (2/5)
Release Date: 27.01.2022
macOS Big Sur 11.6.2
[2] https://cxsecurity.com/issue/WLB-2022010141
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/218386
[4] https://www.exploit-db.com/exploits/50696
[01.02.2022] - Added reference [1], [2] and [3]
[02.02.2022] - Added reference [4]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2022-5696
Type: Local/Remote
Impact: DoS
Risk: (2/5)
Release Date: 27.01.2022
Summary
Fetch is a reliable, full-featured file transfer client for the Apple Macintosh whose user interface emphasizes simplicity and ease of use. Fetch supports FTP and SFTP, the most popular file transfer protocols on the Internet for compatibility with thousands of Internet service providers, web hosting companies, publishers, pre-press companies, and more.Description
The application is prone to a DoS after receiving a long server response (more than 2K bytes) leading to 100% CPU consumption.Vendor
Fetch Softworks - https://www.fetchsoftworks.comAffected Version
5.8.2 (5K1354)Tested On
macOS Monterey 12.2macOS Big Sur 11.6.2
Vendor Status
N/APoC
fetchftp_cpu.pyCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://packetstormsecurity.com/files/165769/[2] https://cxsecurity.com/issue/WLB-2022010141
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/218386
[4] https://www.exploit-db.com/exploits/50696
Changelog
[27.01.2022] - Initial release[01.02.2022] - Added reference [1], [2] and [3]
[02.02.2022] - Added reference [4]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
