CVE-2023-39963: Missing Password Confirmation in Nextcloud Server Allows Attackers to Create App Passwords

An important security issue (CVE-2023-39963) has been discovered in certain versions of Nextcloud Server, an open source cloud platform used for data storage. This vulnerability allowed attackers, after successfully stealing a session from a logged-in user, to create app passwords for the victim without requiring password confirmation. The issue was present in Nextcloud Server versions starting from 20.. up to versions listed in the content section of this post. Nextcloud has released patches for this vulnerability in the mentioned versions, and administrators are highly recommended to update their Nextcloud instances to the latest patched versions. No known workarounds are available.

Code Snippet

The compromised area of code is related to the process of creating app passwords without confirming the user's password first. Here is an example of what the vulnerable code might look like:

function createAppPassword() {
  // ...
  // Code for creating an app password
  // ...
}

The patch implemented by Nextcloud now confirms the user's password before app passwords can be created:

function createAppPassword() {
  if (!confirmPassword()) {
    return;
  }
  // ...
  // Code for creating an app password
  // ...
}

Original References & Exploit Details

The discovery of this vulnerability, along with its impact and risk assessment, can be tracked in Nextcloud's official security advisories:

- Nextcloud Server Security Advisory for CVE-2023-33963

It is important to note that this vulnerability does not have a public exploit available, and the risk of exploitation is generally considered to be low. However, given the sensitive nature of the data stored in Nextcloud instances, organizations should still act swiftly to apply the provided patches and updates.

As there are no known workarounds for this issue, the ideal course of action is to update your Nextcloud Server to a patched version that addresses the vulnerability:

Nextcloud Server: 25..9, 26..4, or 27..1

- Nextcloud Enterprise Server: 20..14.15, 21..9.13, 22.2.10.14, 23..12.9, 24..12.5, 25..9, 26..4, or 27..1

You can find the update instructions in the Nextcloud Server Administration Manual.

Additionally, organizations should ensure they enforce security best practices such as proper session management, user and password policies, and regular security assessments to minimize the risk of attackers exploiting vulnerabilities like this one.

Conclusion

The CVE-2023-39963 vulnerability in Nextcloud Server highlights the importance of actively identifying and addressing security issues in cloud storage platforms. By promptly updating to the latest patched versions, organizations can effectively avoid the risks associated with vulnerabilities like this one.

Timeline

Published on: 08/10/2023 18:15:00 UTC
Last modified on: 08/16/2023 13:39:00 UTC