openSUSE 15 Security Update : nextcloud (openSUSE-SU-2021:1068-1)

critical Nessus Plugin ID 151853

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:1068-1 advisory.

- A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules. (CVE-2020-8293)

- A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format. (CVE-2020-8294)

- A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user. (CVE-2020-8295)

- Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends on the installed applications on the Nextcloud Server, but could range from bypassing authentication ratelimits or spamming other Nextcloud users. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. No workarounds aside from upgrading are known to exist. (CVE-2021-32678)

- Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. When a user- supplied filename was passed unsanitized into a `DownloadResponse`, this could be used to trick users into downloading malicious files with a benign file extension. This would show in UI behaviours where Nextcloud applications would display a benign file extension (e.g. JPEG), but the file will actually be downloaded with an executable file extension. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3.
Administrators of Nextcloud instances do not have a workaround available, but developers of Nextcloud apps may manually escape the file name before passing it into `DownloadResponse`. (CVE-2021-32679)

- Nextcloud Server is a Nextcloud package that handles data storage. In versions priot to 19.0.13, 20.0.11, and 21.0.3, Nextcloud Server audit logging functionality wasn't properly logging events for the unsetting of a share expiration date. This event is supposed to be logged. This issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. (CVE-2021-32680)

- Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading. (CVE-2021-32688)

- Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3.
There are no known workarounds. (CVE-2021-32703)

- Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds. (CVE-2021-32705)

- Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, default share permissions were not being respected for federated reshares of files and folders. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.
(CVE-2021-32725)

- Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds. (CVE-2021-32726)

- Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, the Nextcloud Text application shipped with Nextcloud Server returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. As a workaround, one may disable the Nextcloud Text application in Nextcloud Server app settings. (CVE-2021-32734)

- Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds. (CVE-2021-32741)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected nextcloud and / or nextcloud-apache packages.

See Also

https://bugzilla.suse.com/1181445

https://bugzilla.suse.com/1181803

https://bugzilla.suse.com/1181804

https://bugzilla.suse.com/1188247

https://bugzilla.suse.com/1188248

https://bugzilla.suse.com/1188249

https://bugzilla.suse.com/1188250

https://bugzilla.suse.com/1188251

https://bugzilla.suse.com/1188252

https://bugzilla.suse.com/1188253

https://bugzilla.suse.com/1188254

https://bugzilla.suse.com/1188255

https://bugzilla.suse.com/1188256

http://www.nessus.org/u?47e87029

https://www.suse.com/security/cve/CVE-2020-8293

https://www.suse.com/security/cve/CVE-2020-8294

https://www.suse.com/security/cve/CVE-2020-8295

https://www.suse.com/security/cve/CVE-2021-32678

https://www.suse.com/security/cve/CVE-2021-32679

https://www.suse.com/security/cve/CVE-2021-32680

https://www.suse.com/security/cve/CVE-2021-32688

https://www.suse.com/security/cve/CVE-2021-32703

https://www.suse.com/security/cve/CVE-2021-32705

https://www.suse.com/security/cve/CVE-2021-32725

https://www.suse.com/security/cve/CVE-2021-32726

https://www.suse.com/security/cve/CVE-2021-32734

https://www.suse.com/security/cve/CVE-2021-32741

Plugin Details

Severity: Critical

ID: 151853

File Name: openSUSE-2021-1068.nasl

Version: 1.3

Type: local

Agent: unix

Published: 7/21/2021

Updated: 12/7/2023

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-32726

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:nextcloud, cpe:/o:novell:opensuse:15.3, cpe:/o:novell:opensuse:15.2, p-cpe:/a:novell:opensuse:nextcloud-apache

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/20/2021

Vulnerability Publication Date: 1/26/2021

Reference Information

CVE: CVE-2020-8293, CVE-2020-8294, CVE-2020-8295, CVE-2021-32678, CVE-2021-32679, CVE-2021-32680, CVE-2021-32688, CVE-2021-32703, CVE-2021-32705, CVE-2021-32725, CVE-2021-32726, CVE-2021-32734, CVE-2021-32741