Nextcloud Sync attack surface

I am generally wondering about the attack surface/risks of using synchronization of files. Here is a bit of context:
*Person A and Person B are sharing a directory and each person is syncing those folders

*If Person A manages to get an infected file in the sync directory, what’s the likelihood of Person B activating that infected file? Can the file synchronization potentially activate the code on the file? I know for malware to run it has to be executed.

*What sort of attack surface does the synchronization application provide generally speaking?

The only problems I can perceive are infected files going into the sync folders that could be run by other users or possible MitM attack. If anyone knows more that could happen, I’m looking for a worst case scenario

Files normally don’t execute themselves, so the likelihood depends on the user. In most cases anti-virus solutions on the client-side should prevent execution and you can use an anti-virus solution on the server:

New viruses, not yet known by any anti-virus, are efficiently spread through the sync process. You still need to execute them.

I didn’t get the point about MitM attacks? You mean if some virus attacks the sync process itself?

So of course we can’t guarantee anything. But having said that.

Assume userA has a shared folder with userB and wants to infect that user. Now userA uploads a bad file. Now userB goes to sync that file. Since that file is actively writen userBs virus scanner (given they have one) will be triggered.

And even if not like @tflidd says files don’t execute themself. And the sync client also doesn’t. It just gets binary data that it writes.

Now having said all this. Again we can’t give any guarantees. If somebody is targetting you with brand new mallicous code then well bad luck. So always make sure to backup your files!

Thanks for the reply guys :slight_smile: yes I know there will not be such a thing as absolute security or a guarantee of there not being an infection. I can’t imagine either user in my own scenario to send malicious files unless it’s a compromised end point. So my only real way of malicious file mitigation I see is AV on the endpoints and enabling AV on the Nextcloud server.

As for the MitM attack, @tflidd, yes I was speaking of attacking the sync process itself. If we assume the end point computers aren’t compromised, the only MitM attack I can see is if someone intercepts the connection leaving the network, but at that point they would have to deal with an SSL connection, and I set up Apache to use HSTS, which I read can only be broken by compromising NTP servers to advance time. I saw some stuff about Man in the Cloud attacks as a possibility too.

I guess what I’m mainly looking at is what serious attack surfaces exist for synchronizing files that wouldn’t already exist if userA was just giving files over the web to userB? userA could already unwittingly give userB infected files even without synchronization and userB could be none the wiser

Everything which is executed automatically could be used as an attack. For example you put malicious pictures exploit a bug in the thumbnail-creation process of your OS. But then again, that is an issue for all shared folders you use (via windows network storage, gdrive, …) except you come up with an idea to prevent specific attacks.

So I suppose the only consensus I can come up with is there really isn’t that much of an attack vector, or at least a probable one with this type of software because there is probably other easier attack targets or other common attacks that could have happened even if the synchronization software wasn’t a part of the picture

That’s pretty accurate. Nextcloud is (mostly) PHP software. It’s so far up the technology stack, that the majority of security threats or vulnerabilities are operating at a lower level. If your worried about security, then secure the lower levels of the stack. IE, operating system, network communication, access control, etc. Other than that, keep on top of Nextcloud updates in case there is vulnerability at some point. See