Facepalm: OwnCloud is an open-source software designed for sharing and syncing files in distributed and federated enterprise environments. The tool provides collaboration and document-sharing services, but a recently disclosed vulnerability has extended its “sharing” capabilities in an unintended way, compromising sensitive data.
This past week, ownCloud publicly disclosed a critical vulnerability in the “graphapi” app. The security flaw is being tracked with the highest level of risk on the CVE scale (10) as CVE-2023-49103. A week later, security researchers have now started to witness what could amount to “mass” exploitation of this extremely dangerous flaw.
According to ownCloud’s official advisory, the CVE-2023-49103 issue stems from a third-party library used by the graphapi app (GetPhpInfo.php). The library provides a URL that, when accessed, reveals the configuration details of the PHP environment. The provided information also includes all the environment variables of the webserver, ownCloud said.
The issue mostly arises in containerized deployments of ownCloud, where the environment variables disclosed by getphpinfo.php “may include” sensitive data such as admin passwords, server credentials, and license keys. Simply disabling the graphapi app doesn’t eliminate the vulnerability, as the flawed library still provides the secret-disclosing URL, according to ownCloud.
Aside from disclosing server secrets, the vulnerable phpinfo library can expose other potentially sensitive configuration details that an attacker could exploit to gather further information about the system. Even if ownCloud is not running in a containerized environment, the advisory warns, server admins should still be concerned about the vulnerability’s potential outcomes.
According to security company GreyNoise, the CVE-2023-49103 flaw is now actively being exploited by cyber-criminals. Researchers describe a “mass exploitation” of the flaw in the wild, which they detected as early as November 25, 2023. Black hat hackers are seeking passwords, mail server credentials, and license keys, which the detailed vulnerability would gladly reveal to anyone.
While the company is working on “various hardenings” in future core releases to avoid similar vulnerabilities, ownCloud advised users to delete the flawed GetPhpInfo.php library from their servers. Furthermore, the phpinfo function was disabled in the containers the German company directly provides to its enterprise customers.
Further advice provided by ownCloud includes a global reset of server “secrets,” including passwords, credentials, and access keys. In addition to CVE-2023-49103, GreyNoise remarks that ownCloud recently disclosed additional critical vulnerabilities. The flaws include an authentication bypass issue with a 9.8 CVE score (CVE-2023-49105) and a highly dangerous flaw related to the oauth2 app (CVE-2023-49104).