Warning: 3 Critical Vulnerabilities Expose ownCloud Users to Data Breaches

The maintainers of the open-source file-sharing software ownCloud have warned of three critical security flaws that could be exploited to disclose sensitive information and modify files.

A brief description of the vulnerabilities is as follows -

• CVE-2023-49103 (CVSS score: 10.0) - Disclosure of sensitive credentials and configuration in containerized deployments impacting graphapi versions from 0.2.0 to 0.3.0.
• CVE-2023-49105 (CVSS score: 9.8) - WebDAV Api Authentication Bypass using Pre-Signed URLs impacting core versions from 10.6.0 to 10.13.0.
• CVE-2023-49104 (CVSS score: 9.0) - Subdomain Validation Bypass impacting oauth2 prior to version 0.6.1.

“The ‘graphapi’ app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo),” the company said of the first flaw.

“This information includes all the environment variables of the web server. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key.”

As a fix, ownCloud is recommending to delete the “owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php” file and disable the ‘phpinfo’ function. It is also advising users to change secrets like the ownCloud admin password, mail server and database credentials, and Object-Store/S3 access keys.

The second problem makes it possible to access, modify or delete any file sans authentication if the username of the victim is known and the victim has no signing-key configured, which is the default behavior.

Lastly, the third flaw relates to a case of improper access control that allows an attacker to “pass in a specially crafted redirect-url which bypasses the validation code and thus allows the attacker to redirect callbacks to a TLD controlled by the attacker.”

Besides adding hardening measures to the validation code in the oauth2 app, ownCloud has suggested that users disable the “Allow Subdomains” option as a workaround.

The disclosure comes as a proof-of-concept (PoC) exploit has been released for a critical remote code execution vulnerability in the CrushFTP solution (CVE-2023-43177) that could be weaponized by an unauthenticated attacker to access files, run arbitrary programs on the host, and acquire plain-text passwords.

The issue, discovered and reported by Converge security researcher Ryan Emmons, has been addressed in CrushFTP version 10.5.2, which was released on August 10, 2023.

“This vulnerability is critical because it does NOT require any authentication,” CrushFTP noted in an advisory released at the time. “It can be done anonymously and steal the session of other users and escalate to an administrator user.”

CVE-2023-49103 Comes Under Active Attack

Reports have emerged of active exploitation of CVE-2023-49103, a critical flaw affecting the “graphapi” app used in ownCloud that could be exploited to access admin passwords, mail server credentials, and license keys.

Threat intelligence firm GreyNoise said it observed mass exploitation of the flaw in the wild as early as November 25, with SANS Internet Storm Center (ISC) detecting scans originating from five different IP addresses.

“Attacks against ownCloud are not rare,” Johannes B. Ullrich, dean of research at the SANS Technology Institute, said. “Many of them are likely just attempting to find instances of ownCloud to exploit old vulnerabilities or attempt weak passwords.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.