NextCloud Security Concern

Major Incident NextCloud
25 minutes

Update

Resolved

We are considering this resolved.

Dec 30th, 2019 14:55 CST
Update

Today it was brought to our attention that a mistake was made on our part when setting up our NextCloud instance. We left the default Nginx server block in place, which routed to the same document root as cloud.mxroute.com. This allowed for a couple of troubling issues:

  1. PHP scripts could be downloaded, as the default server block was not configured to run the scripts through the interpreter. Most noteworthy would be config.php.
  2. Security values configured in the cloud.mxroute.com server block were not present when the data was accessed from this angle.

What we know to have been exposed:

  • NextCloud password salt/secret (this isn’t actually important, keep reading)
  • Email password for nextcloud@mxroute.com
  • Database password for NextCloud

What could have been exposed in theory but was not in practice:

  • Data directories containing user uploaded files

Noteworthy additions:

  • Secret/password salt are not relevant as we’re not using encryption or creating/storing user passwords in the NextCloud database. We delegate that to IMAP, so these values are irrelevant under our current configuration.

Steps to resolution:

  • Routed default Nginx server block to another location not under the cloud.mxroute.com document root
  • Rotated database and email passwords
  • Reviewed logs to confirm no direct access of customer data
  • Reviewed logs to ensure that this has only been exploited once, by the kind individual that disclosed this to us

Takeaway / Conclusion:

This could have been very damaging, and we’re very thankful that it was not. A kind security researcher notified us of this and we were able to take action very quickly. Had this been discovered by someone with malicious intent it would have been somewhat difficult for them to use it to compromise user data, but absolutely possible. This was our fault entirely, and we apologize sincerely and humbly.

Dec 30th, 2019 14:54 CST
Issue

We’ve been alerted to a security issue in the NextCloud installation. We’ve brought it down while reviewing, will explain afterward.

Dec 30th, 2019 14:31 CST