Nextcloud 11 delivers verified security improvements

code_low
Public services like Dropbox are major targets for criminal and state sponsored hacking attempts, but a self hosted alternative which fails to provide security offers no advantage. Security is of the utmost concern to Nextcloud and we work according to industry security standards like ISO27001, a fact that we had independently verified by NCC Group. Our confidence in the security of our solution is backed by our USD 5000 HackerOne Security Bug Bounty program.

Independently verified security-conscious development

For the Nextcloud 11 release we requisitioned a review of our security processes and the new features for Nextcloud 11 from the NCC Group, a global expert in cyber security and risk mitigation. Quoting from their report:

“Nextcloud understands the necessity to provide core principle baseline security requirements, as such Nextcloud 11 is built on these security principles to ultimately deliver a secure solution to their customers”

“Risk is assessed by Nextcloud based on current industry standards such as Clause 14 of ISO/IEC27001-2013 and key security principles that are common to many services such key Cloud Security principles. From a technical perspective Nextcloud 11 is subject to in-house Vulnerability Management and routine independent penetration testing using industry certified suppliers. There are also independent reviews of Operational Security and Governance related to Nextcloud’s design which includes reviewing policy, process and related procedures.”

“This review process looked at all the new Nextcloud 11 security features not only in isolation but also collectively as aggregated defense mechanisms that look to provide a strength in depth approach to security. The review process looked at aligning the features against varying standards and best practices used across industry, using the ISO27001 standard as the baseline control set and subsequently cross referenced with other related standards, guidance and security principles”

“The Nextcloud 11 solution is built around combined assurance layers consisting of newly applied rich security features, applied best practices which are governed by policy and the design itself validated by industry standard testing processes. Following the security review of the new security features being deployed it was considered that each feature including by aggregation by association will enhance the security standing of the Nextcloud 11 solution.”

You can view and download the full NCC Group’s findings from our website. We also provide access to a full VeraCode vulnerability scan and a series of further details on the defenses Nextcloud employs against security threats. Read on for a full description of the new security enhancements in Nextcloud 11.

Features

Nextcloud 11 introduces a series of new security capabilities and hardenings, delivering security following the latest industry standards and enabling administrators to opt in to further measures. A quick overview:

  • Inclusion of two factor authentication support for U2F and TOTP
  • App specific tokens can be forbidden file system access
  • Support for Kerberos authentication
  • Password confirmation for sensitive actions
  • HTTPS by default for federation
  • password reset logic auto-invalidates after changing mail address
  • improved brute force protection on more endpoints
  • CSP 3.0 protection
  • Same-site Cookies Support improvements
  • Our Collabora Online integration app received several security hardening
  • The new Nextcloud App store uses automated checks and signatures to prevent malicious apps from getting installed on user installations

The first three improvements require administrators to enable them while the other 8 measures will improve the security of a Nextcloud installation without requiring any action from the users or system administrators. We will go into more detail about each of the capabilities in the remainder of this blog.

Two Factor Authentication

Nextcloud 11 brings two officially supported two-factor providers to your Nextcloud server. While Nextcloud 10 has already introduced the backend APIs for Two-Factor Authentication, this release finally lowers the barrier for using a second factor provider by offering several default providers. Support for the following factors has been added:

Universal 2nd Factor (U2F)

U2F is an open standard that allows you to authenticate using a hardware security key such as the Yubikey. Once U2F has been enabled users need to plugin their U2F security key into their computer to successfully login.

Time-based One-Time Password (TOTP)

TOTP is an open standard that allows you to authenticate by providing a security number in addition to their regular credentials to successfully authenticate. In case a user has lost their second factor, administrators can reset the provided second factor. Users can also generate backup codes in the personal settings of their Nextcloud. For more specific requirements (such as enforcing a second-factor) organizations can use the extensive public API that we provide for hooking in second factor providers.

For authenticating with clients Nextcloud supports application specific passwords that can be generated by users.

Application specific tokens can be forbidden file system access

To authenticate against their Nextcloud users can now also use tokens instead of their password that have specific limitations enforced. As a first step we’ve added support for limiting file system access. This allows users now to connect their potentially less trusted third-party clients (like a mobile phone calendar) without exposing access to the whole file system.

Support for Kerberos Authentication

Nextcloud 11 supports authentication using environment variables which enables a wide range of authentication mechanisms to work, Kerberos being one of the most important and the prime reason we made this possible. Users will need to use the Kerberos Apache module and set the right environment variables in the administrator interface as described in our documentation.

Password confirmation for sensitive actions

Nextcloud 11 has added support for password confirmation on security critical actions. If an administrator or regular user is trying to change a potential sensitive setting (such as changing the permissions of an user) they will have to provide their password a second time to verify the action. Password verification is only required once every 30 minutes. After 30 minutes have been passed after the last verification the user will have to reverify their identity if they make a security-sensitive change.

Use HTTPS by default for Federation

Nextcloud supports so-called Federated Cloud Sharing (now standardized in the Open Cloud Mesh project). This means that users of different instances can share files with each other by providing their federated cloud ID. (e.g. john@cloud.doe.com) The instances will then communicate using the OCM protocol and establish a share connection.

Before Nextcloud 11 the server would first try to establish a HTTPS connection and if that failed gracefully fail back to HTTP without any user feedback. Thus allowing potential man-in-the-middle attacks. Realizing that HTTPS is now easier than ever using projects such as LetsEncrypt we are now requiring HTTPS unless a user manually decides to share with a HTTP instance. (by providing http://john@cloud.doe.com as federated cloud ID)

Bruteforce protection

The bruteforce protection implemented in Nextcloud protects against brute force attacks against potentially sensitive endpoints. It currently works by throttling all login requests coming from a specific subnet. This means, if an IP has triggered multiple invalid login attempts future auth requests from that subnet will be slower for the next 24 hours. (up to 30 seconds delay) In Nextcloud 11 the bruteforce protection has been hardened by protecting even more endpoints against potential brutef orce attacks. This includes some endpoints of the OCS Person API as well as the newly added password confirmations.

Content Security Policy v3.0 Support with nonce instead of “self” for script-src

Nextcloud 11 brings first support for Content Security Policy v3.0. CSP is a HTTP feature that allows the server to set specific restrictions on a resource when opened in a browser. Such as only allowing to load images or JavaScript from specific targets.

Using CSP makes it much harder for attackers to exploit a Cross-Site Scripting vulnerability. This is the fact because resources inserted by an attacker are not in the whitelist of the policy and thus the browser can notice an injection and refuse execution.

The newly added support for CSP v3.0 makes it possible for Nextcloud to have an even stricter policy. Instead of restricting the JavaScript inclusion policy to ‘self’ we now use nonces, this is a security improvement because the previous implementation using ‘self’ didn’t take browsers in consideration that do mime type sniffing. (“mime confusion attacks”) Browsers that don’t support CSP v3.0 will simply get a v2.0 policy delivered that uses the ‘self’ key word for script-src. The policy used by default is restrictive:
default-src 'none';script-src 'nonce-LONGRANDOMNONCE' 'unsafe-eval';style-src 'self' 'unsafe- inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
on API endpoints with Nextcloud 11 the policy is just set to 'default-src 'none''
Note that Nextcloud does output encoding and CSP is just considered a defense in-depth. See the CSP evaluator to evaluate our CSP policy!

Same-site cookies support

The Same-site cookie support in Nextcloud 11 has been hardened even further. Same-Site cookies are a security measure supported by modern browsers that prevent CSRF vulnerabilities and protect your privacy further.

Browsers that support same-site cookies can be instructed in a way to only send a cookie if the request is originating from the original domain. This makes exploiting CSRF vulnerabilities from other domains a non-issue. Also timing attacks, such as enumerating whether a specific file or folder exists, are not feasible anymore. Nextcloud enforces the same-site cookies to be present on every request by enforcing this within the request middleware.

As hardening measure, in Nextcloud 11 we have added the __Host prefix to the cookie if the environment supports this feature. This enforces the cookie to be only sent via HTTPS and only be sent only to the host that has set this cookie. This mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain. Note that Nextcloud does also employ regular protections against CSRF such as a shared secret between browser and client. Same-Site cookies are just considered a security hardening. More technical details about the original implementation can be read in this blog.

Improved password reset logic

As a further hardening to the general platform we’ve implemented a more clever password reset mechanism. Previously reset tokens where simply valid for 12 hours. The new password reset logic invalidates the password also after critical information such as the user mail address has been changed.

Collabora Online app hardenings

The Collabora Online app mediates the connection between the Collabora Online server app and the user interface of Nextcloud. We had contributed to the upstream app until now but decided to create our own version to be able to move forward faster. We cleaned up over 7000 lines of code and updated the app to use server functionality rather than legacy code, cleaning a large number of vulnerabilities. With less code the app becomes easier to audit and check for issues as well.

New app store

Given some security related incidents with the old app store like this and more recently this, security of Nextcloud systems benefits from a move to our new app store on apps.nextcloud.com. The new app store integrates an automatic check on uploaded apps, ensuring a significant proportion of scam and spam attempts is blocked before even making it to the store. Vetted developers have to sign their app with a private key, signed in turn by the Nextcloud Code Signing Authority which ensures even a successful compromise of an app store account can not result in malicious apps being uploaded to user systems.

Find more info in our blog about appstore improvements and app signing.

Conclusion and recommendations

Security tends to be invisible until things go wrong. As our customers put their most sensitive data in Nextcloud, they deserve the utmost care for their security and Nextcloud GmbH delivers this.

The features developed as well as the processes followed by Nextcloud with regards to security in development have been reviewed by the NCC Group. They concluded that the features were “designed, built and deployed on industry standards using Secure-Software Development Lifecycle processes and best practice ideology”. Nextcloud 11 thus sets a new standard in secure sharing and syncing of data in enterprise environments.

We recommend customers to get in contact with our support team and start preparing migration to Nextcloud 11 to ensure their data is as secure as it can be.

Start the discussion at The Nextcloud forums