This story has been UPDATED with ownCloud patching the vulnerability. More information at the end of this page.
A critical security flaw in the ownCloud file-sharing service is being “actively exploited” days after its disclosure.
The vulnerability, tracked as CVE-2023-49103, is classified as an information disclosure bug and holds a maximum CVSS severity score of 10. Victims risk leakage of sensitive data, including passwords and other credentials tied to the flaw in ownCloud’s graphapi app, according a security bulletin posted last Tuesday.
According to threat intelligence firm GreyNoise, the vulnerability has been targeted by threat actors via probing vulnerable ownCloud ports over the past seven days.
“IP addresses with this tag have been observed attempting to exploit CVE-2023-49103, an information disclosure vulnerability in ownCloud's Graph API app,” GreyNoise wrote in an alert.
Rapid7 principal security researcher Stephen Fewer said that despite the critical nature of the bug, an attacker would have to go to great lengths to exploit the bug. He noted on the site AttackerKB that the bug requires an “uncommon configuration” of ownCloud to be exploitable.
“Some installations of ownCloud may contain a vulnerable graphapi application which exposes a PHP endpoint /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php that allows the output of the phpinfo() function to be displayed to an attacker,” Fewer wrote. “This output may contain sensitive information, such as secrets held in environment variables. However successfully reaching the target endpoint requires a certain configuration, and not all instances of ownCloud, even if they have the vulnerable graphapi application installed, are actually vulnerable to exploitation.”
Malicious actors jump on opportunity to exploit ownCloud vulnerability
OwnCloud publicly disclosed the vulnerability on Nov. 21 and threat actors began attempting to exploit the bug four days later, wrote Glenn Thorpe, senior director of security research and detection engineering at GreyNoise, in a Nov. 27 blog post.
GreyNoise has tracked 40 unique IPs attempting to exploit the critical bug, according to the firm’s visual dashboard tracking the malicious activity.
As of this writing, there are no confirmed hacking incidents tied to the vulnerability.
On ownCloud’s customer forum, one user wrote that they received a message purporting to be from the “LockBit hacking group,” and that files were being erased. SC Media can’t confirm this report. The user later reported that everything was “back to normal” after following recommendations from ownCloud to upgrade their server and whitelist safe IPs.
SC Media reached out to ownCloud for more information about the extent of the exploitation and received no reply.
OwnCloud announced CVE-2023-49103 along with two other vulnerabilities, CVE-2023-49104 and CVE-2023-49105. The former has a high CVSS score of 8.7 and allows attackers to bypass subdomain validation within the oauth2 app to redirect callbacks to their own TLD; the latter has a critical CVSS score 9.8 and makes it possible for attackers to access, alter and delete files without further authentication if the victim’s username is known. CVE-2023-49105 also requires the victim to have no signing-key configured, which is the default setting.
“We take security as our first priority,” ownCloud said in a comment on X. “Therefore, fixes were prepared and customers notified already on Sept. 20, BEFORE the security breaches were made public.”
Ashley Leonard, CEO of endpoint and vulnerability management company Syxsense, told SC Media that ownCloud took the right tack by promptly disclosing the flaw.
“Transparency can enhance confidence in the company: secrecy and ‘security by obscurity’ hasn’t worked generally (look where we are), so taking an approach to being more open about vulnerabilities and how to fix them should be significant,” Leonard said.
What is the ownCloud vulnerability and how do I fix it?
The ownCloud vulnerability lies in the exposure of a URL provided by a third-party library used by the graphapi app versions 0.20 – 0.3.0. Those who access the URL can view the phpinfo of a webserver including the PHP environment’s configuration details and all environment variables. This especially impacts containerized deployments, where the phpinfo can include the ownCloud admin password, mail server credentials, database credentials and license key.
Remediation includes deleting the file owncloud/appls/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php to prevent data leakage, ownCloud wrote. The company added that it has disabled the phpinfo function in its docker-containers. Docker-containers from before February 2023 are not vulnerable to exploitation. Users are also urged to change their ownCloud admin password, mail server and database credentials, and Object-Store/S3 access-key.
Security researcher Will Dormann wrote on X that he does not believe exploits of the vulnerability to be effective. Dormann is a software vulnerability analyst with Carnegie Mellon Software Engineering Institute's CERT Coordination Center.
“If use of a non-working exploit spikes in the wild, does that count towards it being exploited in the wild?” Dormann said.