Cryptographic Vulnerabilities within the Nextcloud Server Side Encryption

16.11.2020 yahe publicity security

Nearly a year ago I wrote that I had an extensive look into the server side encryption that is provided by the Default Encryption Module of Nextcloud. I also mentioned that I have written some helpful tools and an elaborate description for people that have to work with its encryption.

What I did not write about at that time was that I had also discovered several cryptographic vulnerabilities. After a full year, these have now finally been fixed, the corresponding HackerOne reports have been disclosed and so I think it is about time to also publish the whitepaper that I have written about these vulnerabilities.

The paper is called "Cryptographic Vulnerabilities and Other Shortcomings of the Nextcloud Server Side Encryption as implemented by the Default Encryption Module" and is available through the Cryptology ePrint Archive as report 2020/1439. The vulnerabilities presented in this paper have received their own CVEs, namely:

  • CVE-2020-8133 went to the vulnerability described in the chapter "Insufficient integrity protection of files leads to breach of integrity (I)". More details can be found in the HackerOne report 661051 and in the Nextcloud Security Advisory NC-SA-2020-038.
  • CVE-2020-8150 went to the vulnerability described in the chapter "Insufficient integrity protection of files leads to breach of integrity (III)". More details can be found in the HackerOne report 742588 and in the Nextcloud Security Advisory NC-SA-2020-039.
  • CVE-2020-8152 went to the vulnerability described in the chapter "Insufficient integrity protection of files leads to breach of integrity (II)". More details can be found in the HackerOne report 743505 and in the Nextcloud Security Advisory NC-SA-2020-040.
  • CVE-2020-8259 went to the vulnerability described in the chapter "Insufficient integrity protection of public keys leads to breach of confidentiality". More details can be found in the HackerOne report 732431 and in the Nextcloud Security Advisory NC-SA-2020-041.

Having such an in-depth look into the implementation of a real-world application has been a lot of fun. However, I am also relieved that this project now finally comes to an end. I am eager to start with something new. 😃

Search

Contact details

mail contact form mail contact form

Github yahesh

Mastodon @yahe@chaos.social

Categories

administration (45)
arduino (12)
calcpw (3)
code (38)
hardware (20)
java (2)
legacy (113)
linux (31)
publicity (8)
raspberry (3)
review (2)
security (65)
thoughts (22)
update (10)
windows (17)
wordpress (19)