Hackers start exploiting critical ownCloud flaw, patch now

  • November 28, 2023
  • 11:14 AM
  • 0


Hackers are exploiting a critical ownCloud vulnerability tracked as CVE-2023-49103 that exposes admin passwords, mail server credentials, and license keys in containerized deployments.

ownCloud is a widely used open-source file synchronization and sharing solution designed for those who wish to manage and share data through a self-hosted platform.

On November 21, the software's developers published security bulletins for three vulnerabilities that could lead to data breaches, urging ownCloud administrators to apply the recommended mitigations immediately.

Of the three flaws, CVE-2023-49103 received a maximum CVSS severity score of 10.0 as it allows a remote threat actor to execute phpinfo() through the ownCloud 'graphapi' app, which reveals the server's environment variables, including credentials stored within them.

"In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key," reads the CVE-2023-49103 advisory.

Also, if other services in the same environment use the same variants and configurations, the same credentials can be used to access those services as well, expanding the breach.

Active exploitation underway

Unfortunately, leveraging CVE-2023-49103 for data theft attacks isn't complicated, and threat actors have already been discovered exploiting the flaw in attacks.

Threat tracking firm Greynoise reported yesterday that it observed mass exploitation of the flaw in the wild starting on November 25, 2023, with a rising trajectory. Greynoise tracked 12 unique IP addresses exploiting CVE-2023-49103.

Observed exploitation activity
Observed exploitation activity
Source: Greynoise

Shadowserver also reports similar observations, warning that it currently detects over 11,000 exposed instances, with most located in Germany, the United States, France, and Russia.

Heatmap of vulnerable targets
Heatmap of vulnerable endpoints
Source: Shadowserver

Due to the increased exploitation of this flaw, ownCloud administrators are recommended to take immediate action to remediate the risk.

The recommended fix is to delete the 'owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php' file, disable the 'phpinfo' function in Docker containers, and change potentially exposed secrets like the ownCloud admin password, mail server, database credentials, and Object-Store/S3 access keys.

It is important to note that disabling the graphapi app does not mitigate the threat, which is equally severe for both containerized and non-containerized environments.

The only case resistant to the credential disclosure problem is Docker containers created before February 2023.

Article updated to correct a factual error about the number of vulnerable ownCloud instances detected by Shadowserver.