OwnCloud [1] [2] [3] [4] [5] [6], an open-source file-sharing server app [4], has recently disclosed a critical vulnerability (CVE-2023-49103) in its “graphapi” app. This flaw allows unauthorized access to sensitive data by revealing configuration details of the PHP environment [3]. Attackers can exploit this vulnerability to gain full administrative control of servers running ownCloud [2].
Description
By sending a simple web request to a static URL [4], threat actors can obtain sensitive information such as admin passwords, mail server credentials [2] [3] [5], and license keys [1] [2] [3] [5]. The exploitation of this vulnerability has led to a significant increase in the number of IP addresses sending web requests, indicating mass exploitation. There are over 11,000 IP addresses hosting ownCloud servers [4], highlighting the potential threat. Disabling the app alone does not fully resolve the issue [2], and even non-containerized instances of ownCloud are at risk [2]. To mitigate the exploitation of this vulnerability [4], ownCloud advises users to delete the flawed library and reset server “secrets,” including admin passwords and database credentials.
In addition to this critical vulnerability, ownCloud has also recently addressed two other high-severity vulnerabilities [4], namely an authentication bypass issue (CVE-2023-49105) and a dangerous flaw in the oauth2 app (CVE-2023-49104) [3]. Security researchers have discovered active attack attempts targeting users of the open-source ownCloud file server and content collaboration platform [6]. The attacks exploit a critical vulnerability (CVE-2023-49103) in ownCloud’s Graph API app versions 0.2.0 and 0.3.0 [6]. The vulnerability allows for the disclosure of sensitive credentials and configuration in containerized deployments [6]. Threat intelligence firm GreyNoise has reported mass exploitation attempts targeting the vulnerability [6], with a significant number of attacks targeting Israel [6]. The extent of the vulnerability’s impact is unclear [6], but there have been over 11,000 internet-connected ownCloud installations [6], primarily in Germany [6]. British security researcher Kevin Beaumont believes there are mitigating factors that may limit attackers’ ability to compromise ownCloud deployments [6].
Conclusion
The ownCloud project has released updated software to mitigate the flaw and recommends that users update their software and change certain secrets [6]. Disabling the Graph API app will not mitigate the flaw [6], and all users [6], regardless of whether they are in a containerized environment [6], are at risk [2] [6]. The nonprofit organization Shadowserver Foundation has identified approximately 11,000 exposed ownCloud instances [1], with the majority located in Germany [1], the US [1], and France [1]. Exploitation attempts targeting CVE-2023-49103 have been observed since November 25 [1], with a potential coordinated effort by threat actors or botnets [1]. It is important for administrators to implement the recommended mitigation steps outlined by ownCloud to protect against this vulnerability [1].
References
[1] https://vulnera.com/newswire/critical-owncloud-vulnerability-under-active-exploitation/
[2] https://www.infosecurity-magazine.com/news/hackers-exploit-critical/
[3] https://www.techspot.com/news/100994-critical-vulnerability-owncloud-servers-exploited-en-masse.html
[4] https://arstechnica.com/security/2023/11/owncloud-vulnerability-with-a-maximum-10-severity-rating-comes-under-mass-exploitation/
[5] https://www.hackread.com/owncloud-graphapi-app-vulnerability-exposes-data/
[6] https://www.govinfosecurity.com/attackers-actively-target-critical-owncloud-vulnerability-a-23715