CVE-2021-22915
📋 TL;DR
This vulnerability allows attackers to bypass Nextcloud's brute-force protection by using IPv6 addresses, which weren't included in rate-limiting calculations. Attackers can perform unlimited authentication attempts against Nextcloud instances, potentially compromising user accounts. All Nextcloud servers with IPv6 connectivity running vulnerable versions are affected.
💻 Affected Systems
- Nextcloud Server
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover through brute-force password guessing, leading to data theft, privilege escalation, and potential lateral movement within the organization.
Likely Case
Successful brute-force attacks against weak passwords, resulting in unauthorized access to user accounts and sensitive data.
If Mitigated
Limited impact with strong passwords, multi-factor authentication, and network-level rate limiting in place.
🎯 Exploit Status
Exploitation requires only standard HTTP requests and IPv6 address rotation. Public reports demonstrate the bypass technique.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 19.0.11, 20.0.10, or 21.0.2
Vendor Advisory: https://nextcloud.com/security/advisory/?id=NC-SA-2021-009
Restart Required: No
Instructions:
1. Backup your Nextcloud instance. 2. Update to Nextcloud 19.0.11, 20.0.10, or 21.0.2 using the updater app or manual installation. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable IPv6
linuxTemporarily disable IPv6 connectivity to prevent exploitation while planning patching.
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1
Network-level rate limiting
allImplement rate limiting at the network perimeter (firewall/load balancer) for all IPv6 addresses.
🧯 If You Can't Patch
- Enable multi-factor authentication for all users
- Implement strong password policies and monitor for brute-force attempts
🔍 How to Verify
Check if Vulnerable:
Check Nextcloud version via admin panel or command: php occ statusCheck Version:
php occ status | grep 'versionstring'Verify Fix Applied:
Confirm version is 19.0.11, 20.0.10, or 21.0.2 or higher📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts from different IPv6 addresses
- Unusual authentication patterns bypassing normal rate limits
Network Indicators:
- High volume of authentication requests from IPv6 subnets
- IPv6 address rotation patterns
SIEM Query:
source="nextcloud.log" ("Login failed" OR "Authentication error") | stats count by src_ip | where count > 10🔗 References
- https://hackerone.com/reports/1154003
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGXGR6HYGQ6MZXISMJEHCOXRGRFRUFMA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6BO6P6MP2MOWA6PZRXX32PLWPXN5O4S/
- https://nextcloud.com/security/advisory/?id=NC-SA-2021-009
- https://hackerone.com/reports/1154003
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGXGR6HYGQ6MZXISMJEHCOXRGRFRUFMA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6BO6P6MP2MOWA6PZRXX32PLWPXN5O4S/
- https://nextcloud.com/security/advisory/?id=NC-SA-2021-009
