The cybersecurity community has expressed concerns as they’ve detected exploitative activities focusing on ownCloud, leveraging the CVE-2023-49103 vulnerability.
The spotlight is on ownCloud, a well-known open-source file server recognized for its secure storage, file-sharing, and collaboration capabilities. This attention comes in the wake of the disclosure of three critical vulnerabilities, including CVE-2023-49103.
All about the vulnerability
OwnCloud versions 0.2.0 to 0.3.0 are affected by the CVE-2023-49103 vulnerability, which carries a maximum CVSS severity rating of 10. This vulnerability is located within the “graphapi” app. The “graphapi” app, utilizing a third-party library (GetPhpInfo.php), exposes crucial PHP environment configurations, revealing passwords and keys.
This occurs because the library generates a URL that, upon access, discloses the configuration details (phpinfo) of the PHP environment. This information encompasses all web server environment variables, and in containerized deployments, these variables may encompass sensitive data such as admin passwords, mail server credentials, and license keys.
As of November 25, 2023, GreyNoise has documented extensive exploitation of the CVE-2023-49103 vulnerability in real-world situations.
The ongoing focus on file-sharing software signals a lasting trend, raising concerns that ownCloud may become a target. This worry is highlighted by the impactful Clop Ransomware attacks on Progress’ MOVEit Transfer product and the preceding exploitation of the GoAnywhere MFT vulnerability (CVE-2023-0669), contributing to a significant 91% rise in ransomware incidents.
SANS detected scans pinpointing a CVE-2023-49103-vulnerable URL, highlighting five IP addresses and their origin and activities in the article.
How to Fix the CVE-2023-40103 Vulnerability in ownCloud?
Regarding the other critical vulnerabilities disclosed by ownCloud, namely CVE-2023-49104 and CVE-2023-49105:
CVE-2023-49104, rated at 8.7 in terms of CVSS, is recognized as a Subdomain Validation Bypass vulnerability.
An attacker can exploit this vulnerability by using a carefully crafted redirect-url to bypass validation, enabling them to redirect callbacks to a Top-Level Domain (TLD) controlled by the attacker. This flaw exists in the oauth2 app prior to version 0.6.1 when the “Allow Subdomains” option is activated.
As a temporary solution, ownCloud advises users to deactivate the “Allow Subdomains” option to mitigate the vulnerability and strengthen the validation code in the oauth2 app.
CVE-2023-49105, scoring 9.8 on the CVSS scale, is an Authentication Bypass vulnerability. Exploiting this flaw allows unauthorized access, modification, or deletion of any file without authentication, as long as the victim’s username is known, and the victim has not configured a signing-key (following default behavior).
This vulnerability emerges due to the acceptance of pre-signed URLs even when no signing-key is configured for the file owner. It impacts the WebDAV API in ownCloud versions 10.6.0 to 10.13.0.