Thursday, December 7, 2023
HomeTechnologyownCloud vulnerability with most 10 severity rating comes below “mass” exploitation

ownCloud vulnerability with most 10 severity rating comes below “mass” exploitation


Photograph depicts a security scanner extracting virus from a string of binary code. Hand with the word

Getty Pictures

Safety researchers are monitoring what they are saying is the “mass exploitation” of a safety vulnerability that makes it doable to take full management of servers working ownCloud, a broadly used open-source filesharing server app.

The vulnerability, which carries the utmost severity score of 10, makes it doable to acquire passwords and cryptographic keys permitting administrative management of a susceptible server by sending a easy Net request to a static URL, ownCloud officers warned final week. Inside 4 days of the November 21 disclosure, researchers at safety agency Greynoise mentioned, they started observing “mass exploitation” of their honeypot servers, which masqueraded as susceptible ownCloud servers to trace makes an attempt to take advantage of the vulnerability. The variety of IP addresses sending the online requests has slowly risen since then. On the time this put up went dwell on Ars, it had reached 13.

Spraying the Web

“We’re seeing hits to the precise endpoint that exposes delicate data, which might be thought of exploitation,” Glenn Thorpe, senior director of safety analysis & detection engineering at Greynoise, mentioned in an interview on Mastodon. “For the time being, we have seen 13 IPs which might be hitting our unadvertised sensors, which signifies that they’re just about spraying it throughout the web to see what hits.”

CVE-2023-49103 resides in variations 0.2.0 and 0.3.0 of graphapi, an app that runs in some ownCloud deployments, relying on the way in which they’re configured. A 3rd-party code library utilized by the app supplies a URL that, when accessed, reveals configuration particulars from the PHP-based setting. In final week’s disclosure, ownCloud officers mentioned that in containerized configurations—equivalent to these utilizing the Docker virtualization device—the URL can reveal knowledge used to log into the susceptible server. The officers went on to warn that merely disabling the app in such circumstances wasn’t enough to lock down a susceptible server.

The ownCloud advisory defined:

The “graphapi” app depends on a third-party library that gives a URL. When this URL is accessed, it reveals the configuration particulars of the PHP setting (phpinfo). This data consists of all of the setting variables of the webserver. In containerized deployments, these setting variables might embrace delicate knowledge such because the ownCloud admin password, mail server credentials, and license key.

It’s necessary to emphasise that merely disabling the graphapi app doesn’t remove the vulnerability. Moreover, phpinfo exposes varied different doubtlessly delicate configuration particulars that may very well be exploited by an attacker to assemble details about the system. Subsequently, even when ownCloud shouldn’t be working in a containerized setting, this vulnerability ought to nonetheless be a trigger for concern.

Not all safety practitioners regard the vulnerability as posing a widespread menace, the way in which different vulnerabilities—most lately the vulnerability tracked as CVE-2023-4966 and CitrixBleed—have. Particularly, impartial researcher Kevin Beaumont has famous that the CVE-2023-49103 vulnerability wasn’t launched till 2020, isn’t exploitable by default, and was solely launched in containers in February.

“I don’t suppose anyone else truly checked if the susceptible characteristic is enabled,” he mentioned in an interview. What’s extra, an ownCloud Net web page confirmed graphapi had fewer than 900 installs on the time this put up went dwell on Ars. ownCloud officers didn’t instantly reply to an e mail looking for technical particulars of the vulnerability and the exact circumstances required for it to be exploited.

Given the potential menace posed by CVE-2023-49103, there’s nonetheless room for legit concern. In line with safety group Shadowserver, a current scan revealed greater than 11,000 IP addresses internet hosting ownCloud servers, led by addresses in Germany, the US, France, Russia, and Poland. Even when solely a small fraction of the servers are susceptible, the potential for hurt is actual.

“Not surprisingly given ease of exploitation we now have began seeing OwnCloud CVE-2023-49103 makes an attempt,” Shadowserver officers wrote. “It is a CVSS 10 disclosure of delicate credentials & configs in containerized deployments. Please observe ownCloud advisory mitigation steps.”

Extra high-severity ownCloud vulnerabilities

One more reason for concern: ownCloud lately mounted two different high-severity vulnerabilities, together with CVE-2023-94105, which has a severity score of 9.8. The flaw permits for an authentication bypass within the WebDAV API utilizing pre-signed URLs. Hackers can exploit it “to entry, modify or delete any file with out authentication if the username of the sufferer is thought and the sufferer has no signing-key configured (which is the default),” ownCloud officers warned. The vulnerability impacts the WebDAV API in ownCloud variations 10.6.0 to 10.13.0.

A 3rd vulnerability tracked as CVE-2023-94104 is a subdomain validation bypass flaw with a severity score of 8.7. Hackers can exploit it utilizing a redirect URL, making it doable to redirect callbacks to a site managed by the attacker.

To repair the ownCloud vulnerability below exploitation, ownCloud suggested customers to:

Delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/assessments/GetPhpInfo.php. Moreover, we disabled the phpinfo operate in our docker-containers. We are going to apply varied hardenings in future core releases to mitigate related vulnerabilities.

We additionally advise to vary the next secrets and techniques:
– ownCloud admin password
– Mail server credentials
– Database credentials
– Object-Retailer/S3 access-key

Whereas there aren’t any reviews of the opposite two vulnerabilities being actively exploited, customers ought to observe the directions ownCloud has supplied right here and right here.

In current months, vulnerabilities in file sharing apps equivalent to WS-FTP server, MOVEit, and IBM Aspera Faspex, and GoAnywhere MFT have enabled the compromise of hundreds of enterprise networks. Anybody who ignores the menace posed by the lately mounted ownCloud flaws does so at their very own peril.



Supply hyperlink

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments