Malicious Android application can crash the Nextcloud Android Client

Vulnerability

CVE-2021-32694 is a denial-of-service vulnerability in the Nextcloud Android app, affecting versions prior to 3.15.1. The bug resides in the handling of deep login URLs; a malformed or unexpected deep link URL triggers an uncaught exception, causing the client to crash. The vulnerable code path is reachable when any application on the Android device (subject to intents) sends a crafted deep link to the Nextcloud app. No special permissions are required beyond the ability to send intents on the same device. [1][2]

Exploitation

An attacker needs a malicious or compromised application installed on the same Android device. The malicious app sends a specially crafted intent with a malformed deep login URL (e.g., a nextcloud:// scheme URL with invalid parameters) to the Nextcloud app's activity handler. The Nextcloud app does not properly validate the URL before use, leading to an uncaught exception and immediate crash. No user interaction with the crash dialog is required; the crash occurs upon receipt of the malicious intent. [1][2]

Impact

A successful exploit causes the Nextcloud Android client to crash and become unavailable. This is a denial-of-service (availability impact) confined to the app's process; data confidentiality and integrity are not directly compromised. The crash can be repeated, effectively making the app unusable while the malicious app is running. [1]

Mitigation

The vulnerability is fixed in Nextcloud Android version 3.15.1, released on or around June 17, 2021. Users should update the app from the Google Play Store or F-Droid to the latest version. No workaround is available for affected versions. The fix adds proper try-catch handling around the deep login URL processing, preventing the uncaught exception. [1][2]