CVE-2023-35927
📋 TL;DR
This vulnerability allows a malicious Nextcloud server to modify or delete VCards in the system addressbook on a trusted partner server. It affects Nextcloud Server and Enterprise Server installations configured with trusted server relationships. The impact is limited to addressbook data corruption affecting user search and avatar displays.
💻 Affected Systems
- NextCloud Server
- NextCloud Enterprise Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Malicious trusted server could systematically corrupt all addressbook entries, disrupting user lookup functionality and potentially causing operational confusion.
Likely Case
Targeted modification of specific user VCards by a compromised trusted server, causing incorrect contact information display.
If Mitigated
No impact if trusted server relationships are properly managed or removed, or if patched versions are deployed.
🎯 Exploit Status
Exploitation requires: 1) Trusted server relationship established, 2) Successful share secret exchange, 3) Malicious intent from trusted server. This is not a remote unauthenticated vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Server: 25.0.7, 26.0.2; Enterprise: 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, 26.0.2
Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h7f7-535f-7q87
Restart Required: No
Instructions:
1. Backup your Nextcloud instance. 2. Update to patched version via your package manager or manual download. 3. Run occ upgrade if needed. 4. Verify version with occ status.
🔧 Temporary Workarounds
Remove Trusted Servers
allRemove all trusted server relationships to eliminate the attack vector
Navigate to Administration > Sharing settings and remove all trusted servers
Run: sudo -u www-data php occ dav:sync-system-addressbook
🧯 If You Can't Patch
- Remove all trusted server relationships immediately
- Monitor addressbook changes and audit trusted server connections
🔍 How to Verify
Check if Vulnerable:
Check if you have any trusted servers configured in Administration > Sharing settings, and verify your version against affected ranges.Check Version:
sudo -u www-data php occ status | grep 'versionstring'Verify Fix Applied:
Confirm version is patched and no trusted servers remain unless absolutely necessary with verified partners.📡 Detection & Monitoring
Log Indicators:
- Unexpected addressbook modifications
- Suspicious activity from trusted server IPs
- Failed or unusual trusted server authentication attempts
Network Indicators:
- Unusual API calls between trusted servers
- Abnormal traffic patterns in server-to-server communications
SIEM Query:
source="nextcloud.log" AND ("addressbook" OR "vcard") AND ("modif" OR "delete" OR "corrupt")🔗 References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h7f7-535f-7q87
- https://github.com/nextcloud/server/pull/38247
- https://hackerone.com/reports/1976754
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h7f7-535f-7q87
- https://github.com/nextcloud/server/pull/38247
- https://hackerone.com/reports/1976754
