Hello Folders! We’ve been made aware of a potential issue for users who are using certain advanced manual configuration options for remote client management using fah-control. We actively recommend against this sort of remote management, so the issue affects less than 1% of our user base, and only under very specific conditions. Even so, in the interest of being transparent and not alarming our users, we are making this blog post to prevent confusion.
The issue is limited to the small subset of users that manually configured the client and their network to allow remote client management, and are using fah-control to connect over an untrusted network to a remotely accessible client port.
In those specific circumstances, if an attacker on the untrusted network could perform a PITM (person-in-the-middle) attack and actively manipulate network traffic, they would be able to remotely execute code in the context of the user running the fah-control GUI. The actual Folding@home client on the remote machine would not be affected, but the system running the fah-control GUI itself could be affected.
If you currently perform the manual steps described and may be affected, we recommend you update to client version v7.6.20 or later. These versions have the fix applied and are no longer affected.
It is also important to point out that manually configuring fah-control to manage remote clients is not recommended when used over an untrusted network. If you need to do this remotely over the public internet, we recommend using a VPN or similar method of extending a trusted network between two locations.
We would also like to thank the researchers that brought this to our attention.
Thanks to Rutger Beltman:
Also to Axel Koolhaas:
We greatly appreciate you both taking time to review some of our open source code and help us through responsible and coordinated disclosure practices.
For anyone else out there who would like to report any potential security concerns, please refer to our contact page at the below link. We may be updating it in the near future with improved security contact information, and our policies and preferences around reporting security vulnerabilities.
Folding@home Security Contact Details: