CVE-2022-39339 - Sensitive Information Exposure in user_oidc for Nextcloud Prior to v1.2.1

CVE-2022-39339 is a security vulnerability discovered in the user_oidc OpenID Connect backend for Nextcloud, which could expose sensitive information such as client credentials and tokens by sending them over plain HTTP, without TLS encryption. The vulnerability affects versions of user_oidc prior to v1.2.1.

This issue has been acknowledged by the Nextcloud developers, and patches are available in user_oidc v1.2.1. Users are advised to update their installations to the latest version immediately. If you are unable to upgrade, you should ensure access to Nextcloud is only done over HTTPS by setting an HTTPS discovery URL in the provider settings.

Original References

- Nextcloud Real-World Attacks
- Github user_oidc Repository
- Nextcloud user_oidc Changelog

Exploit Details

A malicious actor with the ability to monitor user traffic could potentially intercept the OIDC client credentials and tokens sent in plain text over HTTP, compromising accounts and gaining unauthorized access to resources.

Example of HTTP traffic vulnerable to CVE-2022-39339

GET /nextcloud/index.php/apps/user_oidc?state=xyz&code=abc HTTP/1.1
Host: example.com
User-Agent: Mozilla/5. (Windows NT 10.; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91..4472.124 Safari/537.3
Accept: text/html,application/xhtml+xml,application/xml;q=.9,image/webp,image/apng,*/*;q=.8
Referer: http://example.com/nextcloud/index.php/login

In the example above, the OIDC code and state parameters are sent over HTTP, making it susceptible to interception by attackers.

Upgrade to user_oidc v1.2.1

- Download the latest release from the GitHub repository
  - Follow the upgrade instructions in the documentation.

2. Configure HTTPS discovery URL in the provider settings in the Nextcloud OIDC admin settings. For instance, if your OIDC provider is available at https://oidc.example.com, change the endpoints from http://oidc.example.com to https://oidc.example.com in your Nextcloud configuration.

Conclusion

CVE-2022-39339 poses considerable risks to the account security of Nextcloud users running user_oidc versions prior to 1.2.1. It is essential to upgrade to the latest version of user_oidc or access Nextcloud exclusively via HTTPS to prevent sensitive data from being intercepted and compromised. Always stay vigilant about your server security, keeping in mind the importance of data protection and encryption.

Timeline

Published on: 11/25/2022 19:15:00 UTC
Last modified on: 12/01/2022 20:43:00 UTC