Getty Images
Security researchers say there is a “massive exploitation” of a security vulnerability that allows full control of servers running ownCloud, a widely used open-source file-sharing server software.
The vulnerability, with a maximum severity rating of 10, allows obtaining passwords and cryptographic keys that allow administrative control of a vulnerable server by sending a simple web request to a static URL, ownCloud officials said. warned last week. Within four days of the Nov. 21 announcement, researchers at security firm Greynoise he said, they began observing “mass exploitation” of honeypot servers masquerading as vulnerable own Cloud servers to track attempts to exploit the vulnerability. The number of IP addresses sending web requests has slowly increased since then. This article reached 13 when it was published on Ars.
Internet scattering
Glenn Thorpe, Senior Director of Security Research and Detection Engineering at Greynoise: said in an interview In Mastodon. “So far we’ve seen 13 IPs hitting our unadvertised sensors, which means they’re spraying it around the web to see what’s being hit.”
CVE-2023-49103 is present in versions 0.2.0 and 0.3.0 of the graphapi application running on some native Cloud deployments, depending on the configuration method. A third-party code library used by the application provides a URL that, when accessed, reveals configuration details from the PHP-based environment. In a statement released last week, ownCloud officials said that in containerized configurations (such as those using the Docker virtualization tool), the URL could reveal information used to access a sensitive server. Officials went on to warn that simply disabling the app in such cases is not enough to shut down a vulnerable server.
Own Cloud advice explained:
“graphapi” is based on a third-party library that provides URLs. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information contains all the environment variables of the web server. In containerized deployments, these environment variables can include sensitive information such as the ownCloud admin password, mail server credentials, and license key.
It is important to emphasize that simply disabling the graphapi application does not remove the vulnerability. Additionally, phpinfo exposes various potentially sensitive configuration details that can be used by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern.
Not all security experts consider the vulnerability to be as widespread a threat as other vulnerabilities — most recently tracked as CVE-2023-4966 and CitrixBleed. Specifically, independent researcher Kevin Beaumont noted CVE-2023-49103 vulnerability is not introduced until 2020, cannot be exploited by default, and was only introduced in containers in February.
“I don’t think anyone else has checked whether the sensitive feature is enabled or not,” he said. Moreover, own Cloud web page When this post was published on Ars, graphapi showed less than 900 installs. ownCloud officials did not immediately respond to an email seeking technical details of the vulnerability and the exact conditions required to exploit it.
Given the potential threat posed by CVE-2023-49103, there is still room for legitimate concern. According to the Shadowserver security organization, a recent scan revealed that More than 11,000 IP addresses It hosts its own Cloud servers managed by addresses in Germany, USA, France, Russia and Poland. Even if only a small fraction of servers are vulnerable, the potential for damage is real.
“Given the ease of exploitation, we’re starting to see attempts at OwnCloud CVE-2023-49103,” Shadowserver officials wrote. “This is the CVSS 10 disclosure of sensitive credentials and configurations in containerized deployments. Please follow the ownCloud advisory mitigation steps.”
Higher level own Cloud vulnerabilities
Another cause for concern: ownCloud recently patched two highly serious vulnerabilities, including CVE-2023-94105, which has a severity rating of 9.8. The flaw allows bypassing authentication in the WebDAV API by using pre-signed URLs. Hackers can use it “to access, modify, or delete any file without authentication if the victim’s username is known and the victim does not have a configured signing key (which is the default).” The vulnerability affects the WebDAV API in OwnCloud versions 10.6.0 through 10.13.0.
The third vulnerability, tracked as CVE-2023-94104, is a subdomain validation bypass flaw with a severity rating of 8.7. Hackers can exploit it by using a redirect URL, which allows them to redirect callbacks to a domain controlled by the attacker.
To patch the ownCloud exploit vulnerability, ownCloud advised users to:
Delete the file
owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php.Additionally, we disabled phpinfo in our docker-containers. We will implement various hardenings in future major releases to mitigate similar vulnerabilities.We also recommend changing the following passwords:
– ownCloud admin password
– Mail server credentials
– Database credentials
– Object-Store/S3 login button
While there are no reports of the other two vulnerabilities being actively exploited, users should follow the guidelines provided by ownCloud. here and here.
In recent months, vulnerabilities in file sharing applications such as WS-FTP server, MOVEit, and IBM Aspera Faspex and GoAnywhere MFT have compromised thousands of corporate networks. Anyone who ignores the threat posed by their recently patched Cloud flaws does so at their own peril.