Insufficient RSA Host Key validation in files_external (SFTP driver) - ownCloud

The SFTP external storage driver was verifying the RSA Host Key after logging in. This allows for a man-in-the-middle (MITM) attack even if the host key is already known and can be validated. Basically, at the point where the host key was validated, the secret has already been given away.

It should be noted, that you’re only affected by this vulnerability if you’re using SFTP external storage. Furthermore, a successful attack requires an attacker to be able to impersonate the remote server, i.e. by having control over the routing.

Affected Software

• ownCloud Server < 6.0.5 (CVE-2014-5341)

Action Taken

The SFTP external storage driver is now verifying known host keys before logging in.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

• Andreas Fischer - ownCloud Inc. ([email protected]) - Vulnerability discovery and disclosure.