CVE-2021-33828
📋 TL;DR
This vulnerability in ownCloud's files_antivirus component allows malicious files uploaded to public shares to persist even after antivirus detection. Attackers can upload malware to publicly accessible shares, and the system fails to delete these files upon detection. All ownCloud instances with the files_antivirus component enabled are affected.
💻 Affected Systems
- ownCloud
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Malware distribution platform where attackers persistently host malicious files on your ownCloud instance, leading to widespread infection of users who download from public shares.
Likely Case
Attackers upload malware to public shares that remains accessible despite antivirus detection, potentially infecting users who download these files.
If Mitigated
With proper monitoring and user education, impact is limited to isolated incidents that can be quickly detected and remediated.
🎯 Exploit Status
Exploitation requires access to upload files to a public share, which may or may not require authentication depending on share configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: files_antivirus component version 1.0.0 or later
Vendor Advisory: https://owncloud.com/security-advisories/cve-2021-33828/
Restart Required: No
Instructions:
1. Update the files_antivirus component to version 1.0.0 or later via ownCloud's app management interface. 2. Verify the update completed successfully. 3. Test antivirus functionality with a test file.
🔧 Temporary Workarounds
Disable public shares
allTemporarily disable all public shares to prevent file uploads from unauthenticated users
Disable files_antivirus component
allRemove the vulnerable component until patching is possible
🧯 If You Can't Patch
- Implement strict monitoring of public share uploads and file access patterns
- Configure external antivirus scanning at the network perimeter for all downloads from ownCloud
🔍 How to Verify
Check if Vulnerable:
Check the files_antivirus component version in ownCloud's app management interface. If version is below 1.0.0, the system is vulnerable.Check Version:
Check via ownCloud web interface: Apps → Installed apps → files_antivirusVerify Fix Applied:
Verify files_antivirus component version is 1.0.0 or higher in the app management interface. Test by uploading a test malicious file to a public share and confirming it gets properly deleted.📡 Detection & Monitoring
Log Indicators:
- Antivirus scan events without corresponding file deletion events
- Multiple file uploads to public shares from same source
- Files remaining in public shares after antivirus detection alerts
Network Indicators:
- Unusual download patterns from public shares
- Multiple connections downloading same file from public shares
SIEM Query:
source="owncloud" AND (event="antivirus_detection" AND NOT event="file_deleted")