The daily cybersecurity agenda presents another software vulnerability report that includes multiple exploitable security flaws, affecting yet another high-profile company that caters to thousands of organizations across the globe.
The Nextcloud Server Vulnerability
On September 6th, 2021, news of multiple software vulnerabilities that include both high-risk and critical-risk findings, was posted on the GitHub Security Advisory central. The software vulnerability affects the Nextcloud server. Nextcloud server is the most popular self-hosted collaboration solution for tens of millions of users, spanning thousands of organizations across the globe. More information about the software vulnerabilities reveals that, on an unpatched system, first of all, they can lead to a remote attacker bypassing the authentication process. To that end, a remote attacker (cybercriminal) is able to bypass Two Factor Authentication (2FA) and gain access to an account.
Technical Details
Information about the high-risk and critical-risk vulnerabilities was released by Lukas Reschke. The software vulnerabilities have been given public CVE (Common Vulnerabilities and Exposures) ID database codes, CVE-2021-32800 and CVE-2021-32802 respectively. In-depth technical details reveal that the high-risk vulnerability is type: improper authentication. The second more severe critical vulnerability is type: inclusion of functionality from untrusted control sphere.
Improper Authentication Vulnerability
This vulnerability allows a remote attacker to bypass the authentication process, due to an error when processing authentication requests. Thus, a remote attacker is able to bypass 2FA security access processes and compromise an account.
Inclusion of Functionality from Untrusted Control Sphere
This vulnerability exists due to preview generation using a third-party library not suited for user-generated content. A remote attacker can, therefore, execute arbitrary code on a vulnerable system.
Vulnerable Software Versions
The vulnerable software versions for the high-risk and critical-risk vulnerabilities affecting Nextcloud Server are the same. The official list is as follows;
Important Information For Users
It is essential that Nextcloud Server users know that a patch has been released. The patch addresses and mitigates these software vulnerabilities. It is recommended that Nextcloud Server users and customers upgrade to NextCloud Server versions 20.0.12, 21.0.4, or 22.1.0. These versions have closed the security gaps. With that in mind, it is also possible to open a support ticket with Nextcloud here.