A critical vulnerability in OwnCloud, a popular open-source self-hosted file synchronization and sharing solution, has started to be exploited by cyber actors. The vulnerability affects the Graphapi app, which relies on a third-party GetPhpinfo.php library that provides a URL. When the URL is accessed, it reveals the configuration of the PHP environment, which includes all of the environment variables of the webserver. In a containerized deployment, the disclosed variables may include highly sensitive data such as the ownCloud admin password, mail server credentials, and the license key.
If exploited, an attacker could obtain highly sensitive system information. It should be noted that if other services in the same environment also use the same variables, the exposed credentials could also be used to access those services. The vulnerability is tracked as CVE-2023-49103, affects ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1, and has a maximum CVSS v3.1 severity score of 10. Even if users do not have a containerized deployment the vulnerability should still be a cause of concern.
The vulnerability is one of three flaws recently disclosed by the software developer on November 21, 2023, and mitigations were suggested to prevent the flaws from being exploited. The other flaws in the security advisory are CVE-2023-49105 – a critical WebDAV API authentication bypass vulnerability in oauth2 < 0.6.1 that has a CVSS score of 9.8. While the vulnerability has a high severity score, exploitation would only be possible if the attacker knows the username and the user has no signing key configured. Key configuration is the default protocol. The third vulnerability, CVE-2023-49104, is a critical subdomain validation bypass vulnerability with a CVSS score of 8.7. These two vulnerabilities are not understood to have been exploited in the wild so far.
To make it harder for the CVE-2023-49103 flaw to be exploited, the software developers recommend deleting owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php and disabling the phpinfo function. They also recommend changing OwnCloud admin passwords, mail server and database credentials, and S3 access keys immediately.
The WebDAV API vulnerability, CVE-2023-49105, can be addressed by denying the use of pre-signed URLs if no signing key is configured for the owner of the files. The subdomain validation bypass vulnerability, CVE-2023-49104, can be addressed by hardening the validation code in the oauth2 app. As a workaround, it is possible to disable the “Allow Subdomains” option to disable the vulnerability.
File-sharing solutions have been actively targeted by threat actors in the past and this year, the Clop hacking group conducted two mass attacks on file-sharing solutions, Fortra’s GoAnywhere MFT and Progress Software’s MOVEit Transfer. The recommended mitigations should therefore be applied immediately.