On November 21, 2023, three crucial vulnerabilities have been made public (CVE-2023-49103, CVE-2023-49104, CVE-2023-49105), affecting a number of purposes of the ownCloud on-line file sharing and collaboration platform. These vulnerabilities of the ownCloud platform permit a distant attacker, underneath sure circumstances, to acquire delicate knowledge resembling ownCloud administrator password, mail server credentials and license key; entry, modify and delete recordsdata with out authentication (understanding the sufferer person); and bypass subdomain validation in ownCloud’s oauth2.
As printed by GreyNoise, these vulnerabilities of the ownCloud platform have been extremely exploited since November 25, 2023, primarily the one affecting the disclosure of delicate knowledge (CVE-2023-49103).
OwnCloud is an open-source software program platform designed to offer cloud storage and on-line collaboration providers. It focuses on enabling customers to retailer, sync, and share recordsdata and knowledge via the internet. It may be put in on native servers or cloud internet hosting providers, giving organizations and particular person customers larger management over their knowledge.
Key options of ownCloud embrace:
- Storage and Sync.
- Collaboration.
- Distant Entry.
- Safety.
- Integration.
OwnCloud is usually used in enterprise and academic environments the place management over knowledge is a precedence, and an inside cloud storage answer is most popular.
Graph API is an extension of ownCloud that integrates a person data endpoint into ownCloud Server, following the Microsoft Graph API specification. This endpoint facilitates a Bridge configuration, enabling a hybrid deployment between ownCloud Server 10 and ownCloud Infinite Scale. That is the extension affected by the most crucial vulnerability, the place delicate knowledge is uncovered with out requiring authentication. It's defined in element under:
Disclosure of delicate credentials and configuration in containerized deployments
Primary options
- CVE identifier: CVE-2023-49103.
- Publication date: 21/11/2023.
- Affected software program: ownCloud owncloud/graphapi.
- CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10.0 Critical).
- CWE: CWE-200 – Publicity of Delicate Info to an Unauthorized Actor.
- Affected variations:
- owncloud/graphapi 0.2.0 – 0.3.0.
- Exploitation necessities:
- OwnCloud server containerized in Docker (*).
- The Docker container should be from February 2023 onwards.
CVE-2023-49103 impression
The graphapi extension depends on a third-party library that exposes a URL: owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/checks/GetPhpInfo.php. Accessing this URL reveals PHP atmosphere configuration particulars via phpinfo. This entry may expose crucial data from the atmosphere, resembling delicate variables from the internet server in containerized implementations, together with the ownCloud administrator’s password, mail server credentials, and license key. This considerably impacts the confidentiality, integrity, and availability of the software’s knowledge.
NOTE: As indicated by the supplier, Docker containers previous to February 2023 are not weak to this credential publicity.
Mitigation
On this case, disabling the graphapi software doesn’t remove one of the vulnerabilities of the ownCloud platform. The principle answer includes eradicating the file that straight exposes delicate data:
- owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/checks/GetPhpInfo.php
Moreover, the supplier recommends modifying the following keys, as they might have been compromised:
- OwnCloud administrator person password.
- Mail server credentials.
- Database credentials.
- Object-Retailer/S3 entry key.
(*) It’s vital to notice that even when ownCloud shouldn't be working in a containerized atmosphere, phpinfo exposes system configuration particulars that could possibly be exploited by potential attackers. Subsequently, it's essential to use the fundamental mitigation indicated in the similar method.
CVE-2023-49103 vulnerability detection
As of the present publication date, there's a publicly accessible proof of idea to confirm the potential impression of this vulnerability.
The opposite two vulnerabilities of the ownCloud platform of decrease severity that have an effect on the platform, however nonetheless of excessive impression, are associated to the software of the ownCloud OAuth2 protocol and the ownCloud core.
Subdomain Validation Bypass
Primary options
- CVE identifier: CVE-2023-49104.
- Publication date: 21/11/2023.
- Affected software program: ownCloud owncloud/oauth2.
- CVSS Rating: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N (8.7 Excessive)
- CWE: CWE-284 – Improper Entry Management.
- Affected variations:
- Exploitation necessities:
- Enable Subdomains” possibility enabled.
Impression
Inside ownCloud’s OAuth2 software, when the “Allow Subdomains” possibility is enabled, an attacker can ship a manipulated redirect URL that bypasses the validation code. This permits the attacker to redirect the callback requests to a top-level area (TLD) underneath his/her management.
Mitigation
To repair this vulnerability, the “Allow Subdomains” possibility should be disabled.
WebDAV Api Authentication Bypass utilizing Pre-Signed URLs
Primary options
- CVE identifier: CVE-2023-49105.
- Publication date: 21/11/2023.
- Affected software program: ownCloud owncloud/core.
- CVSS Rating: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)
- CWE: CWE-665 – Improper Initialization.
- Affected variations:
- Exploitation necessities:
- The sufferer’s username is understood.
- The sufferer account has no signing-key configured (default configuration).
Impression
Pre-signed URLs could be accepted even when no signing key has been configured for the proprietor of the recordsdata. This might permit an attacker the means to entry, modify or delete recordsdata with out authentication. To do that, solely the sufferer’s username should be identified, and the sufferer should not have any signing key configured, which is the settings by default.
Mitigation
The principle answer is to deny the use of pre-signed URLs if a signing key has not been configured for the proprietor of the recordsdata.
As half of its rising vulnerabilities service, Tarlogic Safety proactively screens the perimeter of its shoppers to promptly report, detect, and urgently notify the presence of this vulnerability, together with different crucial threats that might pose a severe impression on the safety of their property.
References:
