Patch Now: Attackers Pummel Critical, Easy-to-Exploit OwnCloud Flaw
A vulnerability in the file server and collaboration platform earned a 10 in severity on the CVSS, allowing access to admin passwords, mail server credentials, and license keys.
Hackers are actively exploiting a critical flaw in the open source
ownCloud platform
that allows access to access admin passwords, mail server credentials, and license keys, exposing their enterprise to data breaches or other types of malicious activity.
The flaw, tracked as
CVE-2023-49103
and disclosed by ownCloud on Nov. 21, earned the top score of 10 out of 10 on the CVSS severity rating due to
its ease of exploitation
. It arises from a flaw in the graphapi app used in ownCloud, a file server and collaboration platform that enables secure storage, sharing, and synchronization of commonly sensitive files.
Researchers from
GreyNoise observed
what they characterized as mass exploitation of the flaw in the wild starting as early as Nov. 25, with at least 40 unique IP addresses seen trying to exploit the flaw so far, according to the current data shown on its
tracker
.
Glenn Thorpe, senior director of security research and detection engineering at GreyNoise, characterized the initial exploitation observed by GreyNoise as attackers pretty much spraying it across the Internet to see what hits, in
an online discussion
on Tuesday.
The Shadowserver Foundation also
is tracking
exploitation of the flaw, having observed more than 11,000 exposed instances, with most of those located in Germany, the US, France, and Russia.
The app affected by the flaw is present in ownCloud versions 0.2.0 to 0.3.0. This app utilizes a third-party library that will reveal sensitive PHP environment configurations, including passwords and keys, Thorpe wrote in the post.
Its important to note that only by patching can those affected mitigate the issue, as even disabling the app does not entirely resolve it, according to GreyNoise. The flaw affects both containerized and non-containerized ownCloud instances, although Docker containers from before February 2023 are not vulnerable to the credential disclosure, the researchers noted.
Moreover, the vulnerability is just one of three that ownCloud revealed last week, all of which allow attackers to breach data in deployments of the platform, the researchers noted. The other two are an
authentication bypass flaw
tracked as
CVE-2023-49105
and a
critical flaw
related to the
oauth2
app tracked as
CVE-2023-49104
.
Organizations using ownCloud should address these vulnerabilities immediately, GreyNoise recommended.
OwnCloud is used by nearly 1 million organizations worldwide to manage and share data through a self-hosted platform, replacing the use of online services such as Dropbox to share files throughout an organization. Theoretically this makes enterprise file transfers more secure than sending them over a public cloud, except of course if the deployment of ownCloud is being exploited.
Thats the current case of the critical flaw in graphapi, which relies on a third-party library that provides a URL which, when accessed, reveals the configuration details of the PHP environment, according to ownCloud.
These details include all the environment variables of the Web server, which in containerized deployments may include sensitive data such as the ownCloud admin password, mail server credentials, and license key, according to ownCloud.
In its fix, ownCloud deleted the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php and disabled the phpinfo function docker-containers to remedy the flaw. The company also plans to harden various aspects in future core releases to mitigate similar vulnerabilities.
In addition to applying the fix, ownCloud also recommended that companies change the following secrets in their deployments: ownCloud admin password, mail server credentials, database credentials, and object-Store/S3 access-key.
While not quite as severe as the graphapi flaw, the two other flaws recently discovered by ownCloud also are rated as critical and deserve attention, the company said.
CVE-2023-49105, rated as 9.8 on the CVSS, allows for attackers to access, modify, or delete any file without authentication if the username of the victim is known and the victim has no signing key configured, which is the platforms default configuration.
The flaw affects the ownCloud core app versions 10.6.0 – 10.13.0 and can be fixed by denying the use of pre-signed URLs if no signing key is configured for the owner of the files.
CVE-2023-49104, meanwhile, affects the ownCloud
oauth2
app versions before 0.6.1 and allows someone to pass in a specially crafted redirect URL that bypasses the validation code. This, in turn, allows the attacker to redirect callbacks to an attacker-controlled top-level domain.
The flaw is rated as 9 on the CVSS and can be mitigated by hardening the validation code in the oauth2 app. A workaround that also fixes the flaw is to disable the Allow Subdomains option, according to ownCloud.
Tags:
Patch Now: Attackers Pummel Critical, Easy-to-Exploit OwnCloud Flaw