Security researchers have uncovered what they say is a “massive exploitation” of a security vulnerability that allows them to take complete control of servers running ownCloud, a widely used open source file-sharing server app. Tracking.
According to ownCloud officials, the vulnerability has a maximum severity rating of 10, and by making a simple web request to a static URL, it is possible to obtain passwords and encryption keys that allow administrative control of vulnerable servers. That’s what it means. warned last week. Within four days of the Nov. 21 disclosure, researchers at security firm Greynoise SaidIn order to track attempts to exploit the vulnerability, they began observing “mass exploitation” on honeypot servers masquerading as vulnerable ownCloud servers. Since then, the number of IP addresses sending web requests has gradually increased. By the time this post was published on Ars, it had reached his 13th post.
spray the internet
“We have seen attacks on certain endpoints that expose sensitive information, and this is considered an exploit,” said Glenn Thorpe, senior director of security research and detection engineering at Greynoise. said in an interview At Mastodon. “Right now, we’ve confirmed that 13 IPs are accessing our private sensors, which means they’re pretty spread out across the Internet to see what hits. It shows.”
CVE-2023-49103 exists in graphapi versions 0.2.0 and 0.3.0. This app runs on some ownCloud deployments, depending on how you configure it. Third-party code libraries used by the app provide URLs that, when accessed, display configuration details from the PHP-based environment. In a disclosure last week, ownCloud officials said that in containerized configurations, such as those using Docker virtualization tools, a URL could reveal data used to log into a vulnerable server. said. Officials also warned that simply disabling the app in such cases is not enough to lock down vulnerable servers.
The ownCloud advisory explains:
The “graphapi” app relies on a third-party library to provide URLs. Accessing this URL will display configuration details for your PHP environment (phpinfo). This information includes all environment variables for your web server. In a containerized deployment, these environment variables can contain sensitive data such as your ownCloud administrator password, email server credentials, and license keys.
It is important to emphasize that simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other sensitive configuration details that attackers can exploit to gather information about your system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability is still a cause for concern.
Not all security experts believe this vulnerability poses a widespread threat like other vulnerabilities, most recently tracked as CVE-2023-4966 and CitrixBleed.Specifically, independent researcher Kevin Beaumont It pointed out The CVE-2023-49103 vulnerability was not introduced until 2020, is not exploitable by default, and was only introduced to containers in February.
“I don’t think anyone else actually checked to see if the vulnerable feature was enabled,” he said in an interview. Additionally, ownCloud web page At the time this post was published on Ars, graphapi had fewer than 900 installations. ownCloud representatives did not immediately respond to an email requesting technical details of the vulnerability or the exact conditions needed for it to be exploited.
Considering the potential threat posed by CVE-2023-49103, there is still legitimate cause for concern.According to the security organization Shadow Server, a recent scan revealed Over 11,000 IP addresses We host ownCloud servers primarily at addresses in Germany, the United States, France, Russia, and Poland. Even if only a small portion of your servers are vulnerable, the potential for damage is real.
“Given the ease of exploitation, it is no surprise that we are now seeing attempts at OwnCloud CVE-2023-49103,” Shadowserver officials wrote. “This is his CVSS 10 disclosure regarding sensitive credentials and configuration in containerized deployments. Please follow mitigation steps as per ownCloud recommendations.”
More severe ownCloud vulnerabilities
Another reason for concern is that ownCloud recently fixed two other high-severity vulnerabilities, including CVE-2023-94105, which has a severity rating of 9.8. This flaw allows authentication bypass on the WebDAV API using pre-signed URLs. Hackers could exploit this to “access, modify, or delete files without authentication if the victim’s username is known and the victim does not have a signing key configured (default).” ownCloud officials warned. This vulnerability affects the WebDAV API in ownCloud versions 10.6.0 through 10.13.0.
The third vulnerability, tracked as CVE-2023-94104, is a subdomain validation bypass flaw with a severity rating of 8.7. A hacker could exploit this by using a redirect URL to redirect callbacks to an attacker-controlled domain.
To remediate the exploited ownCloud vulnerability, ownCloud recommends that users:
Delete file
owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php.
Additionally, we disabled the phpinfo function in docker-containers. In future core releases, we plan to apply various enhancements to mitigate similar vulnerabilities.We also recommend changing the following secret:
– ownCloud administrator password
– Mail server credentials
– Database credentials
– Object store/S3 access key
There are no reports of the other two vulnerabilities being actively exploited, but users should follow the instructions provided by ownCloud. here and here.
In recent months, vulnerabilities in file-sharing apps such as WS-FTP servers, MOVEit, IBM Aspera Faspex, and GoAnywhere MFT could potentially compromise thousands of corporate networks. Those who ignore the threat posed by the recently fixed ownCloud flaw do so at their own peril.