Cybersecurity blog header

Critical vulnerabilities of the ownCloud platform are being exploited in the wild

Exploitation of the three critical vulnerabilities of the ownCloud platform would allow privilege escalation.

On November 21, 2023, three critical vulnerabilities were made public (CVE-2023-49103, CVE-2023-49104, CVE-2023-49105), affecting several applications of the ownCloud online file sharing and collaboration platform. These vulnerabilities of the ownCloud platform allow a remote attacker, under certain circumstances, to obtain sensitive data such as ownCloud administrator password, mail server credentials and license key; access, modify and delete files without authentication (knowing the victim user); and bypass subdomain validation in ownCloud’s oauth2.

As published by GreyNoise, these vulnerabilities of the ownCloud platform have been highly exploited since November 25, 2023, mainly the one affecting the disclosure of sensitive data (CVE-2023-49103).

OwnCloud is an open-source software platform designed to provide cloud storage and online collaboration services. It focuses on enabling users to store, sync, and share files and data through the web. It can be installed on local servers or cloud hosting services, giving organizations and individual users greater control over their data.

Key features of ownCloud include:

  • Storage and Sync.
  • Collaboration.
  • Remote Access.
  • Security.
  • Integration.

OwnCloud is commonly used in business and educational environments where control over data is a priority, and an internal cloud storage solution is preferred.

Graph API is an extension of ownCloud that integrates a user information endpoint into ownCloud Server, following the Microsoft Graph API specification. This endpoint facilitates a Bridge configuration, enabling a hybrid deployment between ownCloud Server 10 and ownCloud Infinite Scale. This is the extension affected by the most critical vulnerability, where sensitive data is exposed without requiring authentication. It is explained in detail below:

Disclosure of sensitive credentials and configuration in containerized deployments

Main features

  • CVE identifier: CVE-2023-49103.
  • Publication date: 21/11/2023.
  • Affected software: ownCloud owncloud/graphapi.
  • CVSS Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10.0 Critical).
  • CWE: CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor.
  • Affected versions:
    • owncloud/graphapi 0.2.0 – 0.3.0.
  • Exploitation requirements:
    • OwnCloud server containerized in Docker (*).
    • The Docker container must be from February 2023 onwards.

CVE-2023-49103 impact

The graphapi extension relies on a third-party library that exposes a URL: owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. Accessing this URL reveals PHP environment configuration details through phpinfo. This access could expose critical information from the environment, such as sensitive variables from the web server in containerized implementations, including the ownCloud administrator’s password, mail server credentials, and license key. This significantly impacts the confidentiality, integrity, and availability of the application’s data.

NOTE: As indicated by the provider, Docker containers prior to February 2023 are not vulnerable to this credential exposure.

Mitigation

In this case, disabling the graphapi application doesn’t eliminate one of the vulnerabilities of the ownCloud platform. The main solution involves removing the file that directly exposes sensitive information:

  • owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php

Additionally, the provider recommends modifying the following keys, as they may have been compromised:

  • OwnCloud administrator user password.
  • Mail server credentials.
  • Database credentials.
  • Object-Store/S3 access key.

(*) It’s important to note that even if ownCloud is not running in a containerized environment, phpinfo exposes system configuration details that could be exploited by potential attackers. Therefore, it is crucial to apply the main mitigation indicated in the same manner.

CVE-2023-49103 vulnerability detection

As of the current publication date, there is a publicly available proof of concept to verify the potential impact of this vulnerability.

The other two vulnerabilities of the ownCloud platform of lower severity that affect the platform, but still of high impact, are related to the application of the ownCloud OAuth2 protocol and the ownCloud core.

Subdomain Validation Bypass

Main features

  • CVE identifier: CVE-2023-49104.
  • Publication date: 21/11/2023.
  • Affected software: ownCloud owncloud/oauth2.
  • CVSS Score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N (8.7 High)
  • CWE: CWE-284 – Improper Access Control.
  • Affected versions:
    • oauth2 < 0.6.1
  • Exploitation requirements:
    • Allow Subdomains” option enabled.

Impact

Within ownCloud’s OAuth2 application, when the “Allow Subdomains” option is enabled, an attacker can send a manipulated redirect URL that bypasses the validation code. This allows the attacker to redirect the callback requests to a top-level domain (TLD) under his/her control.

Mitigation

To fix this vulnerability, the “Allow Subdomains” option must be disabled.

WebDAV Api Authentication Bypass using Pre-Signed URLs

Main features

  • CVE identifier: CVE-2023-49105.
  • Publication date: 21/11/2023.
  • Affected software: ownCloud owncloud/core.
  • CVSS Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)
  • CWE: CWE-665 – Improper Initialization.
  • Affected versions:
    • core 10.6.0 – 10.13.0
  • Exploitation requirements:
    • The victim’s username is known.
    • The victim account has no signing-key configured (default configuration).

Impact

Pre-signed URLs can be accepted even when no signing key has been configured for the owner of the files. This would allow an attacker the ability to access, modify or delete files without authentication. To do this, only the victim’s username must be known, and the victim must not have any signing key configured, which is the settings by default.

Mitigation

The main solution is to deny the use of pre-signed URLs if a signing key has not been configured for the owner of the files.

As part of its emerging vulnerabilities service, Tarlogic Security proactively monitors the perimeter of its clients to promptly report, detect, and urgently notify the presence of this vulnerability, along with other critical threats that could pose a serious impact on the security of their assets.

References: