ownCloud vulnerability with maximum 10 severity score comes under “mass” exploitation

Security researchers are tracking what they say is the “mass exploitation” of a security vulnerability that makes it possible to take full control of servers running ownCloud, a widely used open source file-sharing server app.

The vulnerability, which carries the maximum severity rating of 10, makes it possible to obtain passwords and cryptographic keys allowing administrative control of a vulnerable server by sending a simple Web request to a static URL, ownCloud officials warned last week. Within four days of the November 21 disclosure, researchers at security firm Greynoise said, they began observing “mass exploitation” in their honeypot servers, which masqueraded as vulnerable ownCloud servers to track attempts to exploit the vulnerability. The number of IP addresses sending the web requests has slowly risen since then. At the time this post went live on Ars, it had reached 13.

Spraying the Internet

“We're seeing hits to the specific endpoint that exposes sensitive information, which would be considered exploitation,” Glenn Thorpe, senior director of security research & detection engineering at Greynoise, said in an interview on Mastodon. “At the moment, we've seen 13 IPs that are hitting our unadvertised sensors, which indicates that they are pretty much spraying it across the internet to see what hits.”

CVE-2023-49103 resides in versions 0.2.0 and 0.3.0 of graphapi, an app that runs in some ownCloud deployments, depending on the way they’re configured. A third-party code library used by the app provides a URL that, when accessed, reveals configuration details from the PHP-based environment. In last week’s disclosure, ownCloud officials said that in containerized configurations—such as those using the Docker virtualization tool—the URL can reveal data used to log in to the vulnerable server. The officials went on to warn that simply disabling the app in such cases wasn’t sufficient to lock down a vulnerable server.

The ownCloud advisory explained:

The “graphapi” app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key.

It’s important to emphasize that simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern.

Not all security practitioners regard the vulnerability as posing a widespread threat, the way other vulnerabilities—most recently the vulnerability tracked as CVE-2023-4966 and CitrixBleed—have. Specifically, independent researcher Kevin Beaumont has noted that the CVE-2023-49103 vulnerability wasn’t introduced until 2020, isn’t exploitable by default, and was only introduced in containers in February.

“I don’t think anybody else actually checked if the vulnerable feature is enabled,” he said in an interview. What’s more, an ownCloud Web page showed graphapi had fewer than 900 installs at the time this post went live on Ars. ownCloud officials didn’t immediately respond to an email seeking technical details of the vulnerability and the precise conditions required for it to be exploited.

Given the potential threat posed by CVE-2023-49103, there’s still room for legitimate concern. According to security organization Shadowserver, a recent scan revealed more than 11,000 IP addresses hosting ownCloud servers, led by addresses in Germany, the US, France, Russia, and Poland. Even if only a small fraction of the servers are vulnerable, the potential for harm is real.

“Not surprisingly given ease of exploitation we have started seeing OwnCloud CVE-2023-49103 attempts,” Shadowserver officials wrote. “This is a CVSS 10 disclosure of sensitive credentials & configs in containerized deployments. Please follow ownCloud advisory mitigation steps.”

More high-severity ownCloud vulnerabilities

Another reason for concern: ownCloud recently fixed two other high-severity vulnerabilities, including CVE-2023-94105, which has a severity rating of 9.8. The flaw allows for an authentication bypass in the WebDAV API using pre-signed URLs. Hackers can exploit it “to access, modify or delete any file without authentication if the username of the victim is known and the victim has no signing-key configured (which is the default),” ownCloud officials warned. The vulnerability affects the WebDAV API in ownCloud versions 10.6.0 to 10.13.0.

A third vulnerability tracked as CVE-2023-94104 is a subdomain validation bypass flaw with a severity rating of 8.7. Hackers can exploit it using a redirect URL, making it possible to redirect callbacks to a domain controlled by the attacker.

To fix the ownCloud vulnerability under exploitation, ownCloud advised users to:

Delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. Additionally, we disabled the phpinfo function in our docker-containers. We will apply various hardenings in future core releases to mitigate similar vulnerabilities.

We also advise to change the following secrets:
– ownCloud admin password
– Mail server credentials
– Database credentials
– Object-Store/S3 access-key

While there are no reports of the other two vulnerabilities being actively exploited, users should follow the instructions ownCloud has provided here and here.

In recent months, vulnerabilities in file-sharing apps such as WS-FTP server, MOVEit, IBM Aspera Faspex, and GoAnywhere MFT have enabled the compromise of thousands of enterprise networks. Anyone who ignores the threat posed by the recently fixed ownCloud flaws does so at their own peril.