CVE-2021-32658:Nextcloud Android app fails to properly clean sensitive data on account removal due to a timeout issue, potentially exposing encryption keys.

splash
Back

Description Preview

The Nextcloud Android client contains a vulnerability (CVE-2021-32658) where sensitive data, including End-to-End encryption keys, may not be properly cleaned when removing an account due to a timeout issue. This improper cleanup of sensitive information (CWE-212) could potentially expose user data to unauthorized access. The vulnerability affects versions prior to 3.16.1 of the Nextcloud Android application.

Overview

Nextcloud Android is the official mobile client for the Nextcloud open source home cloud system. The vulnerability occurs during the account removal process when the application fails to properly clean up all sensitive data due to a timeout issue. This could result in sensitive key material, particularly End-to-End encryption keys, remaining on the device after an account has been removed. If an attacker gains access to the device, they could potentially extract these keys and use them to decrypt user data stored in the Nextcloud cloud service.

Remediation

Users should upgrade their Nextcloud Android application to version 3.16.1 or later, which contains the fix for this vulnerability. The patch implemented in commit 355f3c745b464b741b20a3b96597303490c26333 addresses the timeout issue that prevented proper cleanup of sensitive data during account removal. If upgrading is not immediately possible, users should be aware that removing accounts from the app may not fully remove all sensitive data from the device.

References

  1. Patch commit: https://github.com/nextcloud/android/commit/355f3c745b464b741b20a3b96597303490c26333
  2. Security advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g5gf-rmhm-wpxw
  3. HackerOne report: https://hackerone.com/reports/1189168
  4. CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Accommodation & Food Services
    Accommodation & Food Services
  2. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  3. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  4. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  5. Construction
    Construction
  6. Educational Services
    Educational Services
  7. Finance and Insurance
    Finance and Insurance
  8. Health Care & Social Assistance
    Health Care & Social Assistance
  9. Information
    Information
  10. Management of Companies & Enterprises
    Management of Companies & Enterprises
  11. Manufacturing
    Manufacturing
  12. Mining
    Mining
  13. Other Services (except Public Administration)
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  15. Public Administration
    Public Administration
  16. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  17. Retail Trade
    Retail Trade
  18. Transportation & Warehousing
    Transportation & Warehousing
  19. Utilities
    Utilities
  20. Wholesale Trade
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background