Improper validation of certificates when using self-signed certificates
Risk level: Medium
CVSS v2 Base Score: 6.1 (AV:N/AC:H/Au:N/C:C/I:P/A:N)
The ownCloud Desktop Client was vulnerable against MITM attacks until version 1.8.2 in combination with self-signed certificates. To be exploitable the following conditions have to be met:
- The connection to the remote ownCloud server must be secured using a self-signed certificate which the user imported in the ownCloud client.
- While the ownCloud client is connected to the remote ownCloud server an attacker starts a MITM attack and the user has to manually distrust the new certificate. If the connection is already MITM’d while the client is not yet running the ownCloud client will behave properly.
- User clicks “Cancel” on the appearing SSL warning.
If all conditions are met the client will continue syncing and considers the malicious certificate as valid. This allows adversaries in a MITM position to sniff the user credentials which are transfered in the Basic Authentication header as well as to other sensitive information. (including the PHP session and transferred files)
The issue was caused by calling the incorrect
QNetworkReply::ignoreSslErrors overload: Omitting the errors to be ignored as a parameter, Qt’s network stack will ignore all errors. The code is now calling the overloaded version which ignores only the error acknowledged by the user.
ownCloud highly advises affected users to update affected clients as soon as possible to ensure data integrity and confidentiality. Users with such a setup and that have experienced such a behaviour are encouraged to change their ownCloud passwords.
- ownCloud Desktop < 1.8.2 (CVE-2015-4456)
To protect our users ownCloud has issued the 1.8.2 client which addresses this issue. Users of older ownCloud clients are encouraged to import their certificate into the local system trust store.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Johannes Kliemann (firstname.lastname@example.org) – Vulnerability discovery and disclosure.