Attackers Actively Target Critical ownCloud VulnerabilityContent Collaboration Platform Sent Updates and Alert Directly to Users Last Month
Security researchers are tracking active attack attempts targeting users of the open-source ownCloud file server and content collaboration platform.
The attack warning comes after ownCloud on Nov. 21 issued a security alert warning users that they're at risk of "disclosure of sensitive credentials and configuration in containerized deployments" due to a "critical" vulnerability tracked as CVE-2023-49103.
The vulnerability exists in ownCloud's Graph API app versions 0.2.0 and 0.3.0. Since Nov. 21, ownCloud has been part of San Mateo, California-based Kiteworks, formerly known as Accellion, which sells software for maintaining private content networks. Privately held Kiteworks acquired ownCloud for an undisclosed sum.
A spokeswoman for ownCloud told Information Security Media Group that it first had notified customers directly via email about the flaws on Sept. 20, advising them to install updates that fix them.
Threat intelligence firm GreyNoise reported on Saturday seeing mass exploitation attempts targeting the vulnerability, with the greatest number of attacks appearing to target Israel.
By Wednesday, GreyNoise reported seeing 34 unique IPs "that are hitting our unadvertised sensors, which indicates that they are pretty much spraying it across the internet to see what hits," said Glenn Thorpe, a security researcher at the firm, on Mastodon.
The ownCloud project said the vulnerability exists in the third-party
GetPhpInfo.php library used in its Graph API app, which provides a URL to the app. "When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo)," according to the alert. As is typical for the phpinfo function, "this information includes all the environment variables of the webserver," which for containerized environments "may include sensitive data such as the ownCloud admin password, mail server credentials and license key."
Docker containers created prior to February are not at risk from disclosing their credentials, it said.
Target: File-Sharing Platforms
File-sharing services remain a top target for attackers. In late May, the Clop ransomware group exploited a zero-day flaw in Progress Software's widely used MOVEit secure file transfer software. Attackers exploited the vulnerability to steal data being stored on MOVEit servers pertaining to over 2,635 organizations and more than 83 million individuals, security firm Emsisoft reported. Clop previously had targeted other secure managed file transfer tools such as Accellion, Serv-U and GoAnywhere, and in March, two other ransomware groups had targeted patched flaws in IBM Aspera Faspex file exchange software (see: Hackers Hit Secure File Transfer Software Again and Again).
In a bid to find flaws in file transfer software before attackers might start exploiting them, security researchers at Rapid7 in recent months identified and notified vendors about fresh vulnerabilities in such file transfer tools as Fortra Globalscape EFT Server, JSCAPE MFT and South River Technologies Titan MFT and Titan SFTP.
To mitigate the flaw, ownCloud's updated software removes the
GetPhpInfo.php file from the app and disables the phpinfo function completely for docker containers. "We will apply various hardenings in future core releases to mitigate similar vulnerabilities," it said.
In addition, ownCloud recommends that all users not only update their software but also change the following secrets, since attackers could have already accessed them:
- Admin password for ownCloud;
- Mail server credentials;
- Database credentials;
- Access keys for connected S3 buckets.
Disabling the Graph API app will not mitigate the flaw, and not only containerized environments are at risk, ownCloud said. That's because the phpinfo function "exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system," it said. "Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern."
"Organizations using ownCloud should address these vulnerabilities immediately," GreyNoise's Thorpe said in a blog post.
How widespread this vulnerability might be remains unclear. The download page for the Graph API version 0.31 app showed 866 downloads to date, as of Wednesday.
"To our current knowledge, none of our customers were affected since we closed the security gap, updated our software and advised our customers how to secure their systems before the CVE was made public," the ownCloud spokeswoman told Information Security Media Group.
The Shadowserver Foundation, which tracks malicious online activity, reported via Mastodon that it counts over 11,000 internet-connected ownCloud installations, primarily in Germany, followed by the United States, France, Russia and Poland. Whether or not those installations are vulnerable to CVE-2023-49103 isn't clear, it said.
"Not surprisingly given ease of exploitation we have started seeing ownCloud CVE-2023-49103 attempts," Shadowserver wrote. "This is a CVSS 10 disclosure of sensitive credentials and configs in containerized deployments. Please follow ownCloud advisory mitigation steps."
British security researcher Kevin Beaumont sees "several mitigating factors" that should blunt attackers' attempts to mass compromise ownCloud deployments.
In particular, the vulnerability didn't get added to the software until 2020, Graph API isn't enabled by default to ownCloud implementations and the functionality was "only introduced in containers earlier this year, which have juicy environment variables," he said in a Mastodon post.
"I don't think anybody else actually checked if the vulnerable feature is enabled," Beaumont told Ars Technica.
Beyond CVE-2023-49103, ownCloud also directly notified users about two more vulnerabilities, which it later highlighted via public security alerts on Nov. 21.
One critical vulnerability, designated CVE-2023-49104, which has a CVSS score of 9.0, exists in versions of its oauth2 app prior to 0.6.1 and could be exploited by an attacker who uses a specially crafted URL to bypass validation and redirect callbacks to an attacker-controlled domain, ownCloud said.
Another vulnerability, designated CVE-2023-49105, which has a CVSS score of 9.8, can be exploited by an attacker to "access, modify or delete any file without authentication" if they know the victim's username and if there's no signing key configured. Such keys are not configured by default. The vulnerability exists in ownCloud versions 10.6.0 to 10.13.0, and one mitigation the software developer recommends is to enable such signing keys.