Lucene search

K
hackeroneTobiaskaminskyH1:1699740
HistorySep 14, 2022 - 7:53 a.m.

Nextcloud: nextcloudcmd incorrectly trusts bad TLS certificates

2022-09-1407:53:20
tobiaskaminsky
hackerone.com
129
nextcloud
tls certificates
nextcloudcmd
validation failure
mitm attack
bug bounty

EPSS

0.001

Percentile

20.4%

Ref: https://github.com/nextcloud/desktop/issues/4927

Bug description

I have a self hosted Nextcloud instance using my own private CA for TLS certs. When running nextcloudcmd without the --trust, it disregards the cert validation failure as “This is not an actual error” and proceeds with the sync anyway. I expected it to reject the untrusted server cert and assume it is a MITM attack:

# nextcloudcmd --non-interactive -n ~/Nextcloud https://nextcloud.lan
09-10 12:25:54:348 [ info nextcloud.sync.accessmanager ]:	2 "" "https://nextcloud.lan/ocs/v1.php/cloud/capabilities?format=json" has X-Request-ID "18ff47a0-a482-4456-a489-7aa747170c58"
09-10 12:25:54:348 [ info nextcloud.sync.networkjob ]:	OCC::JsonApiJob created for "https://nextcloud.lan" + "ocs/v1.php/cloud/capabilities" ""
09-10 12:25:54:545 [ info nextcloud.sync.account ]:	"SSL-Errors happened for url  \"https://nextcloud.lan/ocs/v1.php/cloud/capabilities?format=json\" \tError in  QSslCertificate(\"3\", [REDACTED] : \"The root certificate of the certificate chain is self-signed, and untrusted\" ( \"The root certificate of the certificate chain is self-signed, and untrusted\" ) \n " Certs are known and trusted! This is not an actual error.
09-10 12:25:54:871 [ info nextcloud.sync.networkjob.jsonapi ]:	JsonApiJob of QUrl("https://nextcloud.lan/ocs/v1.php/cloud/capabilities?format=json") FINISHED WITH STATUS "OK"

After adding the root CA cert to the system’s trust store the validation passes and the warning goes away.

I am running the latest nextcloud-desktop-cmd package, version 2.6.2-1build1, on Ubuntu Server 20.04.2 LTS.

I did not see this problem in the NextCloud CVE list.

Steps to reproduce

Run nextcloudcmd against a server that has a TLS cert that the system won’t validate.

Expected behavior

Abort the operation if the server’s TLS cert cannot be validated, unless --trust is specified to explicitly override the security checks.

Which files are affected by this bug

src/libsync/account.cpp

Operating system

Linux

Which version of the operating system you are running.

Ubuntu 20.04.2 LTS

Package

Distro package manager

Nextcloud Server version

24.0.3

Nextcloud Desktop Client version

2.6.2-1build1

Is this bug present after an update or on a fresh install?

Fresh desktop client install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

Are you using an external user-backend?

  • [X] Default internal user-backend
  • [ ] LDAP/ Active Directory
  • [ ] SSO - SAML
  • [ ] Other

Impact

Possible MITM