CVE-2021-32728

End-to-end encryption device setup did not verify public key

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is fixed in Nextcloud Desktop Client version 3.3.0. There are no known workarounds aside from upgrading.

Nextcloud Desktop Client es una herramienta para sincronizar archivos del Servidor Nextcloud con un ordenador. Los clientes usando la función de cifrado de extremo a extremo de Nextcloud descargan la clave pública y privada por medio de un endpoint de la API. En versiones anteriores a 3.3.0, el cliente Nextcloud Desktop no comprueba si una clave privada pertenece a un certificado público descargado previamente. Si la instancia de Nextcloud sirve una clave pública maliciosa, los datos se cifrarían para esta clave y, por tanto, podrían ser accesibles para un actor malicioso. Este problema es corregido en Nextcloud Desktop Client versión 3.3.0. No se presentan soluciones conocidas aparte de la actualización.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-05-12 CVE Reserved
2021-08-18 CVE Published
2024-08-03 CVE Updated
2024-08-03 First Exploit
2024-09-04 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-295: Improper Certificate Validation

CAPEC

References (4)

URL	Tag	Source

URL	Date	SRC
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f5fr-5gcv-6cc5	2024-08-03
https://hackerone.com/reports/1189162	2024-08-03

URL	Date	SRC
https://github.com/nextcloud/desktop/pull/3338	2022-10-04

URL	Date	SRC
https://www.debian.org/security/2021/dsa-4974	2022-10-04

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nextcloud Search vendor "Nextcloud"		Desktop Search vendor "Nextcloud" for product "Desktop"				< 3.3.0 Search vendor "Nextcloud" for product "Desktop" and version " < 3.3.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected