CVE-2019-15613
📋 TL;DR
This vulnerability in Nextcloud Server allows attackers to bypass file type restrictions by manipulating file extensions. Attackers could upload malicious files disguised as allowed types, potentially leading to code execution or data compromise. All Nextcloud Server instances using workflow rules with file type checks are affected.
💻 Affected Systems
- Nextcloud Server
📦 What is this software?
Backports by Opensuse
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution through malicious file upload leading to complete system compromise.
Likely Case
Unauthorized file upload bypassing security controls, potentially enabling malware distribution or data exfiltration.
If Mitigated
Limited impact with proper file validation and access controls in place.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.0.2 and later
Vendor Advisory: https://nextcloud.com/security/advisory/?id=NC-SA-2020-002
Restart Required: No
Instructions:
1. Backup your Nextcloud instance. 2. Update to Nextcloud Server 17.0.2 or later via the updater app or manual installation. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable workflow rules
allTemporarily disable workflow rules that check file mimetypes until patched.
Navigate to Settings > Administration > Workflows and disable affected rules
Restrict file uploads
linuxImplement additional file validation at the web server level.
Configure nginx/apache to block suspicious file uploads
🧯 If You Can't Patch
- Implement strict file extension validation at application layer
- Enable file integrity monitoring for uploaded files
🔍 How to Verify
Check if Vulnerable:
Check Nextcloud version in Settings > Overview. If version is exactly 17.0.1 and workflow rules are enabled, you are vulnerable.Check Version:
php occ status | grep 'versionstring'Verify Fix Applied:
Verify version is 17.0.2 or later in Settings > Overview. Test file upload with mismatched extension/mimetype.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload patterns
- Files with mismatched extensions and mimetypes
- Workflow rule bypass attempts
Network Indicators:
- Multiple file upload attempts with varying extensions
- POST requests to upload endpoints with suspicious content
SIEM Query:
source="nextcloud.log" AND ("upload" OR "workflow") AND ("bypass" OR "mimetype mismatch")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00019.html
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00022.html
- https://hackerone.com/reports/697959
- https://nextcloud.com/security/advisory/?id=NC-SA-2020-002
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00019.html
- http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00022.html
- https://hackerone.com/reports/697959
- https://nextcloud.com/security/advisory/?id=NC-SA-2020-002
