Getty Images
Reports are surfacing of substantial exploitation of a high-severity security vulnerability in the widely used open-source file-sharing server app ownCloud. The flaw, which holds the highest severity rating, allows cybercriminals to acquire passwords and cryptographic keys, providing complete administrative control over a susceptible server through a simple web request to a static URL, according to ownCloud officials’ recent warning.
The vulnerability, tracked as CVE-2023-49103, affects versions 0.2.0 and 0.3.0 of graphapi, an app utilized in certain ownCloud deployments. Security firm Greynoise’s researchers have observed a surge in “mass exploitation” of this flaw following the disclosure. The number of IP addresses sending the exploitative web requests has been steadily increasing and reached 13 at the time of publishing.
Spraying the Internet
Glenn Thorpe, senior director of security research & detection engineering at Greynoise, stated in an interview that the exploitation is being conducted by sending the specific endpoint sensitive details are exposed. So far, 13 IPs have been detected, suggesting that the exploit is being widely distributed and tested across the internet.
The vulnerability surfaces in the graphapi app due to a third-party library that exposes PHP environment configuration details. The configuration variables in a containerized environment may include sensitive data, such as server credentials and license keys, posing a significant risk of unauthorized access. The advisory from ownCloud emphasizes that simply disabling the affected app is not an effective means of securing the server.
The “graphapi” app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key.
It’s important to emphasize that simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern.
Despite conflicting opinions about the widespread threat this vulnerability poses, it is crucial to address the potential risks it holds. The company recently addressed two other high-severity vulnerabilities, including CVE-2023-94105 and CVE-2023-94104, significantly elevating the importance of taking necessary mitigation steps.
More high-severity ownCloud vulnerabilities
A recent scan by security organization Shadowserver has identified over 11,000 IP addresses hosting ownCloud servers, particularly in Germany, the US, France, Russia, and Poland, heightening concerns about the potential reach of these vulnerabilities. It is critical for system administrators to implement the mitigation steps and remain vigilant in safeguarding their infrastructure.
OwnCloud has provided detailed guidance for users to address the vulnerabilities, emphasizing the importance of performing the recommended actions to prevent unauthorized access or exploitation of data.
Anyone underestimating the threat posed by these vulnerabilities runs the risk of compromising their network, which has been evidenced in recent months with various file sharing apps, serving as a stark reminder of the ongoing need for robust cybersecurity measures.
