Some days ago, NextCloud inc. announced a major security issue with it’s Product NextCloud in connection with NGINX and PHP using FastCGI.
Some few days later, BleepingComputer issued this alert, that there is an expoloit in the wild actively encrypting NextCloud Data.
The good news first: We have been lucky again and have not had an issue so far.
Since we update our servers on a regular basis (i.e. at least once a week) we should be safe for now. In addition, we have an a little bit more complex setup as most users and have several additional security layers between the Internet and our Server Systems.
Nevertheless: This Issue clearly shows that you don’t know whether your systems are secure or not. Security is just a snapshot at the moment you’re looking. This could change the next (micro)second.
We are fully aware that even our setup might (and most probably will) have some shortcomings. We strive to eliminate all of them – but we’re never sure and always watching out!
This bug clearly shows: With Scripting Languages getting more and more powerful this is a clear sign that updates really can’t wait.
It shows as well that Backup is something that isn’t optional (well, never has been, actually). The focus of having a backup has changed dramatically, though. In former times, Backups were needed in case of a malfunction, user-error or (many times) hardware failures.
In recent years, disastrous hardware failures have become scarce and malfunctions (a security issue in a software is nothing more than a bug, basically) are the number one reason for restores today.
This bug clearly shows that added complexity is always coming with an added risk for such issues. Neither a bug in Nextcloud nor in Nginx alone would have had a potential for such a disaster. But in combination of the two (three), the bug materialized into something quite scary.
Clouds (no matter what product you use) can be scary at times. Don’t wait until the disaster strikes, be prepared!