プラットフォーム
nextcloud
コンポーネント
nextcloud-desktop
修正版
3.12.1
CVE-2024-37885 describes a code injection vulnerability affecting the Nextcloud Desktop Client for macOS. This flaw allows an attacker to load arbitrary code when the client is launched with the DYLDINSERTLIBRARIES environment variable set. Versions of the Nextcloud Desktop Client prior to 3.12.0 are affected. A fix is available in version 3.12.0.
The vulnerability lies in how the Nextcloud Desktop Client handles the DYLDINSERTLIBRARIES environment variable on macOS. If an attacker can control this environment variable, they can inject malicious code that will be executed when the client starts. This could lead to arbitrary code execution with the privileges of the Nextcloud Desktop Client process, potentially allowing an attacker to gain access to synchronized files, modify data, or compromise the user's system. The impact is limited by the client's permissions, but successful exploitation could still be significant.
This vulnerability was publicly disclosed on 2024-06-14. No public proof-of-concept (PoC) code has been released at the time of writing. The CVSS score is LOW (3.8), indicating a relatively low probability of exploitation. It is not currently listed on the CISA KEV catalog.
Users of Nextcloud who rely on the Desktop Client for macOS synchronization and have not upgraded to version 3.12.0 are at risk. This includes individuals and organizations using Nextcloud for file sharing and collaboration, particularly those with less stringent environment variable security controls.
• macos / desktop:
ls -l /Applications/Nextcloud.app/Contents/MacOS/Nextcloud | grep DYLD_INSERT_LIBRARIES• macos / desktop: Check for unusual processes running with the Nextcloud Desktop Client user.
ps aux | grep Nextcloud• macos / desktop: Examine environment variables when launching the Nextcloud Desktop Client.
echo $DYLD_INSERT_LIBRARIESdisclosure
エクスプロイト状況
EPSS
0.13% (32% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-37885 is to upgrade the Nextcloud Desktop Client to version 3.12.0 or later. If upgrading is not immediately possible, restrict access to the DYLDINSERTLIBRARIES environment variable. This can be achieved by carefully controlling the environment in which the client is launched and ensuring that only trusted processes can modify it. Consider implementing stricter security policies around environment variable manipulation. After upgrade, confirm by launching the client and verifying that the DYLDINSERTLIBRARIES variable is not being exploited.
Nextcloud Desktop Clientをバージョン3.12.0以降にアップデートしてください。このアップデートは、任意のコードの実行を可能にする可能性のあるコードインジェクションの脆弱性を修正します。最新バージョンをNextcloudの公式ウェブサイトからダウンロードしてください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-37885 is a code injection vulnerability in the Nextcloud Desktop Client for macOS, allowing arbitrary code execution if DYLDINSERTLIBRARIES is exploited. It has a LOW severity rating.
You are affected if you are using Nextcloud Desktop Client for macOS versions prior to 3.12.0. Upgrade to the latest version to resolve the issue.
Upgrade the Nextcloud Desktop Client to version 3.12.0 or later. As a temporary workaround, restrict access to the DYLDINSERTLIBRARIES environment variable.
There is no confirmed active exploitation of CVE-2024-37885 at this time, but it's crucial to apply the patch proactively.
Refer to the official Nextcloud security advisory for detailed information and updates: [https://nextcloud.com/security/advisories](https://nextcloud.com/security/advisories)