< go back to overview

Insufficient RSA Host Key validation in files_external (SFTP driver)

Platform: ownCloud Server

Versions: 6.0.5,

Date: 8/18/2014

Risk level: Low


The SFTP external storage driver was verifying the RSA Host Key after logging in. This allows for a man-in-the-middle (MITM) attack even if the host key is already known and can be validated. Basically, at the point where the host key was validated, the secret has already been given away.

It should be noted, that you’re only affected by this vulnerability if you’re using SFTP external storage. Furthermore, a successful attack requires an attacker to be able to impersonate the remote server, i.e. by having control over the routing.

Affected Software

  • ownCloud Server < 6.0.5 (CVE-2014-5341)

Action Taken

The SFTP external storage driver is now verifying known host keys before logging in.


The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Andreas Fischer – ownCloud Inc. (bantu@owncloud.com) – Vulnerability discovery and disclosure.

Share this

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.