CVE-2022-39364 - Nextcloud Server SharePoint Credentials Exposure Vulnerability Fixed in Recent Updates

Hello everyone!

We're here today to discuss a recently discovered vulnerability in Nextcloud Server, specifically, (CVE-2022-39364). This vulnerability has the potential to expose sensitive SharePoint credentials, especially if you're using the server prior to versions 23..9 and 24..5. The ever-resourceful folks at Nextcloud have already patched the vulnerability in Nextcloud Server versions 23..9 and 24..5 as well as Nextcloud Enterprise Server versions 22.2.10.5, 23..9, and 24..5.

Background

Nextcloud Server is the robust file server software that powers Nextcloud, a self-hosted productivity platform that millions of organizations and individuals rely on. As with any software, it's crucial to learn about and patch vulnerabilities as they're discovered. Keeping your Nextcloud Server updated is essential for improving security and functionality.

The Vulnerability

In affected versions of Nextcloud Server and Nextcloud Enterprise Server, an attacker gaining access to the nextcloud.log file could discover your credentials used to connect to a SharePoint service. Sharepoint services are often used for storing crucial and sensitive data, so this is definitely a concern you'd want to address immediately.

Code Snippet

For those specifically interested in the technical details, here's a code snippet illustrating the vulnerability:

Before the patch (example from nextcloud.log)

{
  "reqId": "unique request id",
  "level": 3,
  "time": "2022-01-01T00:00:00+00:00",
  "remoteAddr": "attacker IP",
  "user": "attacked user",
  "app": "files_external",
  "method": "GET",
  "url": "/remote.php/webdav/",
  "message": {
    "Exception": "Exception class",
    "Message": "Error message",
    "Code": ,
    "Trace": [
      {
        "file": "/path/to/nextcloud/lib/...",
        "line": 123,
        "function": "connect",
        "class": "OC\\Files\\Storage\\SMB",
        "type": "->",
        "args": [
          {
            "__class__": "Icewind\\SMB\\BasicAuth",
            "user": "username",
            "password": "sensitive_password", // This is the critical information
            "workgroup": "workgroup"
          }
        ]
      }
    ]
  },
 ..
}

And after applying the patch or update, the nextcloud.log would look like this

{
  ... (same beginning as before)
  "Trace": [
      {
        ... (same before),
        "args": [
          {
            "__class__": "Icewind\\SMB\\BasicAuth",
            "user": "username",
            "password": "* sensitive information replaced *",
            "workgroup": "workgroup"
          }
        ]
      }
    ]
  },
 ..
}

Mitigation

If you're unable to update your Nextcloud Server or the Nextcloud Enterprise Server immediately, you can use a workaround by setting the zend.exception_ignore_args option to "On" in your PHP configuration file (php.ini):

zend.exception_ignore_args = On

While this isn't a long-term solution, it will provide you with some security until you can properly update your Nextcloud Server.

- Nextcloud Server Changelog: https://nextcloud.com/changelog/
- Nextcloud Enterprise Server Changelog: https://nextcloud.com/enterprise/changelog/
- CVE-2022-39364 details: https://nvd.nist.gov/vuln/detail/CVE-2022-39364

Conclusion

Software vulnerabilities are inevitable, but it's crucial to stay up-to-date on security advisories and fixes. Ensuring your Nextcloud Server and Nextcloud Enterprise Server are updated or patched will help mitigate the exposure of SharePoint credentials. It never hurts to be proactive in keeping your software safe, secure, and functioning optimally.

Timeline

Published on: 10/27/2022 15:15:00 UTC
Last modified on: 10/31/2022 14:26:00 UTC