Attackers are trying to exploit a critical information disclosure vulnerability (CVE-2023-49103) in ownCloud, a popular file sharing and collaboration platform used in enterprise settings.
Greynoise and SANS ISC say attemps have been first spotted over the weekend, though Dr. Johannes Ullrich, Dean of Research at the SANS Technology Institute, noted that attacks against ownCloud are not rare, and “many of them are likely just attempting to find instances of ownCloud to exploit old vulnerabilities or attempt weak passwords.”
About CVE-2023-49103
OwnCloud developers disclosed CVE-2023-49103 and two other critical flaws (CVE-2023-49104, CVE-2023-49105) affecting the ownCloud solution at the beginning of last week, after making fixes available.
CVE-2023-49103 – the most critical of the three and the one that’s being actively targeted – is in the solution’s Graph API app, and may allow attackers to gain access to sensitive data.
“The ‘graphapi’ app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo),” the developers explained.
“This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key.”
CVE-2023-49104 affects the solution’s oauth2 app and allows attackers to “pass in a specially crafted redirect-url which bypasses the validation code and thus allows the attacker to redirect callbacks to a TLD controlled by the attacker.”
CVE-2023-49105 is an authentication bypass flaw that allows attackers to access, modify or delete files if they known the victim’s username and the victim has no signing key configured (which is the default).
Fixes and mitigations
Admins are advised to implement the provided fixes or workarounds, and take risk mitigation actions delineated in the published advisories.
For CVE-2023-49103, the latter include deleting the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo and changing ownCloud admin password, mail server and database credentials, and the Object-Store/S3 access key.
“It’s important to emphasize that simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern,” the company said, and added that Docker containers from before February 2023 are not vulnerable to credential disclosure.