During a year of data-breach disclosures by the likes of Equifax, Yahoo, and Verizon, you'd think there would be no need for a cautionary tale on the importance of keeping software properly patched. Not so, according to Frank Karlitschek, founder and managing director of Nextcloud. Too many system administrators still aren't getting with the program.
Nextcloud is a German-based startup that began life as an open source file sharing application similar to Dropbox. In the year and a half since the project started as a fork of ownCloud (which was also founded by Karlitschek), its functions have expanded to include online collaboration similar to Office 365 or Google Docs, as well as other features such as messaging and video conferencing.
It's also security focused. Among other features, it comes with a finely-honed permission system and with the next release will feature end-to-end encryption based on best practices such as encryption keys that are never stored on the server.
Businesses like its functions and also that it can be run on-premises. They also like it because it's open source. Companies that don't want a support contract are free to download and install it without cost.
"I have to say, that comes with some responsibility," Karlitschek told Data Center Knowledge. "For example, you have to update the software yourself. You can't just install it and let it run for a few years."
That should be obvious, but it seems to be a problem.
Although Karlitschek and his team work to keep Nextcloud free from vulnerabilities, even going so far as to offer a substantial bounty for any reported security hole, as with any software project vulnerabilities are sometimes found that require patching. The trouble with patches, however, is they don't work unless they're installed.
"The only thing we can do is provide a new update, a new patch release, notify all the users, and make it super easy for them to install the patch," Karlitschek said. "But at the end of the day they have to install the patch. If they don't, then that's a problem. Over the years we've made it really easy, with one click or one command line command you can update your instance."
Late last year, Karlitschek and his team decided to investigate to get an idea of the number of vulnerable unpatched versions of Nextcloud that were online. Because the software is freely downloadable by anybody, this required scanning the internet for instances of Nextcloud. When they found one, they would check to see whether it was the latest and greatest secure version or a version with known vulnerabilities.
Not only did they end up finding a disturbingly high number of vulnerable instances, but they found them running on domains where security should be considered critical: sites for large businesses, governments, and other organizations undoubtedly hosting sensitive information. Most concerning to Karlitschek was the inclusion of several German political parties at a time when national elections were on the horizon -- and just after the cybersecurity brouhaha in the US after its last election.
The folks at Nextcloud immediately went to work to rectify the situation.
"We provided a security scanner where you can type in the URL of any Nextcloud/ownCloud instance and see what patches are needed and if you're secure or not," he said. "We also worked together with governments in Germany, and also with Switzerland, Austria, and other countries, where they helped us to contact organizations running vulnerable versions."
Like many vulnerabilities, some holes in unpatched versions of Nextcloud are easily exploited. For example in one case, an authenticated user can gain access to all files using a URL and a simple command. "You can go through it and just increase a number in the URL and you get the first file, and then the second file, and the third file, and all without being authenticated," he said. "That's a pretty big problem."
Another more serious flaw gives a user access to the underlying server. "Not as root," Karlitschek explained, "but if there's a second vulnerability in the operating system, then you might additionally get root permission."
Karlitschek's concern isn't about vulnerabilities in old versions of Nextcloud that have since been patched but about the implications of a large number of unpatched versions of any software facing the internet even though patches are readily available. "There's nothing specific to Nextcloud in the scenario," he said. "The assumption is that it's a problem that is bigger than Nextcloud."
It's not news that updating software or addressing other "minor" security issues is often far down on an admin's to-do list, sometimes due to pressure from management to get more visible work done. There's also the attitude that there's no great urgency, because a flaw in little-known software is unlikely to be exploited.
"When I talk to people about security issues, sometimes I get the impression that they view this as all theoretical," Karlitschek said, "like you have to be a real expert to hack something. Sure, you can also break into my house if you know how to do it, but nobody really knows how to do it, so that's not a real threat.
"This may be the case for some of the less critical security issues out there, but there are critical ones."