Getty Images
(*10*)
Security researchers are monitoring what they are saying is the “mass exploitation” of a safety vulnerability that makes it doable to take full management of servers operating ownCloud, a extensively used open-source filesharing server app.
The vulnerability, which carries the maximum severity ranking of 10, makes it doable to acquire passwords and cryptographic keys permitting administrative management of a susceptible server by sending a easy Web request to a static URL, ownCloud officers warned final week. Within 4 days of the November 21 disclosure, researchers at safety agency Greynoise mentioned, they started observing “mass exploitation” of their honeypot servers, which masqueraded as susceptible ownCloud servers to trace makes an attempt to take advantage of the vulnerability. The variety of IP addresses sending the online requests has slowly risen since then. At the time this put up went reside on Ars, it had reached 13.
Spraying the Internet
“We’re seeing hits to the specific endpoint that exposes sensitive information, which would be considered exploitation,” Glenn Thorpe, senior director of safety analysis & detection engineering at Greynoise, mentioned in an interview on Mastodon. “At the moment, we’ve seen 13 IPs that are hitting our unadvertised sensors, which indicates that they are pretty much spraying it across the internet to see what hits.”
CVE-2023-49103 resides in variations 0.2.0 and 0.3.0 of graphapi, an app that runs in some ownCloud deployments, relying on the best way they’re configured. A 3rd-party code library utilized by the app offers a URL that, when accessed, reveals configuration particulars from the PHP-based atmosphere. In final week’s disclosure, ownCloud officers mentioned that in containerized configurations—resembling these utilizing the Docker virtualization instrument—the URL can reveal information used to log into the susceptible server. The officers went on to warn that merely disabling the app in such circumstances wasn’t ample to lock down a susceptible server.
The ownCloud advisory defined:
The “graphapi” app depends on a third-party library that gives a URL. When this URL is accessed, it reveals the configuration particulars of the PHP atmosphere (phpinfo). This info consists of all of the atmosphere variables of the webserver. In containerized deployments, these atmosphere variables might embrace delicate information such because the ownCloud admin password, mail server credentials, and license key.
It’s necessary to emphasise that merely disabling the graphapi app doesn’t eradicate the vulnerability. Additionally, phpinfo exposes numerous different doubtlessly delicate configuration particulars that might be exploited by an attacker to collect details about the system. Therefore, even when ownCloud shouldn’t be operating in a containerized atmosphere, this vulnerability ought to nonetheless be a trigger for concern.
Not all safety practitioners regard the vulnerability as posing a widespread menace, the best way different vulnerabilities—most not too long ago the vulnerability tracked as CVE-2023-4966 and CitrixBleed—have. Specifically, impartial researcher Kevin Beaumont has famous that the CVE-2023-49103 vulnerability wasn’t launched till 2020, isn’t exploitable by default, and was solely launched in containers in February.
“I don’t think anybody else actually checked if the vulnerable feature is enabled,” he mentioned in an interview. What’s extra, an ownCloud Web web page confirmed graphapi had fewer than 900 installs on the time this put up went reside on Ars. ownCloud officers didn’t instantly reply to an e mail searching for technical particulars of the vulnerability and the exact situations required for it to be exploited.
Given the potential menace posed by CVE-2023-49103, there’s nonetheless room for authentic concern. According to safety group Shadowserver, a latest scan revealed greater than 11,000 IP addresses internet hosting ownCloud servers, led by addresses in Germany, the US, France, Russia, and Poland. Even if solely a small fraction of the servers are susceptible, the potential for hurt is actual.
“Not surprisingly given ease of exploitation we have started seeing OwnCloud CVE-2023-49103 attempts,” Shadowserver officers wrote. “This is a CVSS 10 disclosure of sensitive credentials & configs in containerized deployments. Please follow ownCloud advisory mitigation steps.”
More high-severity ownCloud vulnerabilities
Another purpose for concern: ownCloud not too long ago mounted two different high-severity vulnerabilities, together with CVE-2023-94105, which has a severity ranking of 9.8. The flaw permits for an authentication bypass within the WebDAV API utilizing pre-signed URLs. Hackers can exploit it “to access, modify or delete any file without authentication if the username of the victim is known and the victim has no signing-key configured (which is the default),” ownCloud officers warned. The vulnerability impacts the WebDAV API in ownCloud variations 10.6.0 to 10.13.0.
A 3rd vulnerability tracked as CVE-2023-94104 is a subdomain validation bypass flaw with a severity ranking of 8.7. Hackers can exploit it utilizing a redirect URL, making it doable to redirect callbacks to a site managed by the attacker.
To repair the ownCloud vulnerability under exploitation, ownCloud suggested customers to:
Delete the file
owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/checks/GetPhpInfo.php.Additionally, we disabled the phpinfo perform in our docker-containers. We will apply numerous hardenings in future core releases to mitigate comparable vulnerabilities.We additionally advise to alter the next secrets and techniques:
– ownCloud admin password
– Mail server credentials
– Database credentials
– Object-Store/S3 access-key
While there aren’t any reviews of the opposite two vulnerabilities being actively exploited, customers ought to comply with the directions ownCloud has supplied right here and right here.
In latest months, vulnerabilities in file sharing apps resembling WS-FTP server, MOVEit, and IBM Aspera Faspex, and GoAnywhere MFT have enabled the compromise of hundreds of enterprise networks. Anyone who ignores the menace posed by the not too long ago mounted ownCloud flaws does so at their very own peril.