Insufficient RSA Host Key validation in files_external (SFTP driver)
Platform: ownCloud Server
Risk level: Low
The SFTP external storage driver was verifying the RSA Host Key after logging in. This allows for a man-in-the-middle (MITM) attack even if the host key is already known and can be validated. Basically, at the point where the host key was validated, the secret has already been given away.
It should be noted, that you’re only affected by this vulnerability if you’re using SFTP external storage. Furthermore, a successful attack requires an attacker to be able to impersonate the remote server, i.e. by having control over the routing.
- ownCloud Server < 6.0.5 (CVE-2014-5341)
The SFTP external storage driver is now verifying known host keys before logging in.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Andreas Fischer – ownCloud Inc. (firstname.lastname@example.org) – Vulnerability discovery and disclosure.