CVE-2024-37313
📋 TL;DR
This vulnerability allows attackers to bypass two-factor authentication (2FA) in Nextcloud Server after successfully obtaining valid user credentials. It affects self-hosted Nextcloud instances where 2FA is enabled, potentially allowing unauthorized access to user accounts and cloud data.
💻 Affected Systems
- Nextcloud Server
- Nextcloud Enterprise Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers with stolen credentials gain full access to user accounts, including sensitive files, personal data, and administrative functions if targeting admin accounts.
Likely Case
Unauthorized access to user accounts leading to data theft, privilege escalation, or lateral movement within the Nextcloud environment.
If Mitigated
With proper network segmentation and monitoring, impact is limited to isolated Nextcloud instances with no access to critical infrastructure.
🎯 Exploit Status
Requires valid user credentials first, then exploits a flaw in the 2FA verification process. The technical details are available in the security advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 26.0.13, 27.1.8, 28.0.4 for Nextcloud Server; 21.0.9.17, 22.2.10.22, 23.0.12.17, 24.0.12.13, 25.0.13.8, 26.0.13, 27.1.8, 28.0.4 for Enterprise
Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v72-9xv5-3p7c
Restart Required: Yes
Instructions:
1. Backup your Nextcloud instance and database. 2. Update Nextcloud via the web updater (Settings > Overview) or manually via command line. 3. Restart the web server (e.g., systemctl restart apache2). 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Temporarily Disable 2FA
linuxDisable two-factor authentication globally to prevent bypass until patching is possible.
sudo -u www-data php occ config:app:set twofactor_totp enabled --value false
🧯 If You Can't Patch
- Implement strict network access controls to limit Nextcloud access to trusted IPs only.
- Enforce strong password policies and monitor for credential stuffing attempts.
🔍 How to Verify
Check if Vulnerable:
Check your Nextcloud version via the web interface (Settings > Overview) or command line: sudo -u www-data php occ statusCheck Version:
sudo -u www-data php occ status | grep versionVerify Fix Applied:
Confirm version is patched (e.g., 28.0.4 or higher) and test 2FA login flow with a test account.📡 Detection & Monitoring
Log Indicators:
- Multiple failed 2FA attempts followed by successful login without 2FA code
- Login events where 2FA step appears skipped in authentication logs
Network Indicators:
- Unusual authentication patterns from single IP addresses
- Rapid succession of login attempts against multiple accounts
SIEM Query:
source="nextcloud.log" ("2FA" OR "two-factor") AND ("bypass" OR "skip" OR "failed") AND "success"🔗 References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v72-9xv5-3p7c
- https://github.com/nextcloud/server/pull/44276
- https://hackerone.com/reports/2419776
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v72-9xv5-3p7c
- https://github.com/nextcloud/server/pull/44276
- https://hackerone.com/reports/2419776
