Security researchers are tracking what they say is the “mass exploitation” of a security vulnerability that makes it possible to take full control of servers running ownCloud, a widely used open-source filesharing server app.
The vulnerability, which carries the maximum severity rating of 10, makes it possible to obtain passwords and cryptographic keys allowing administrative control of a vulnerable server by sending a simple Web request to a static URL, ownCloud officials warned last week. Within four days of the November 21 disclosure, researchers at security firm Greynoise said, they began observing “mass exploitation” in their honeypot servers, which masqueraded as vulnerable ownCloud servers to track attempts to exploit the vulnerability. The number of IP addresses sending the web requests has slowly risen since then. At the time this post went live on Ars, it had reached 13.
Spraying the Internet
“We’re seeing hits to the specific endpoint that exposes sensitive information, which would be considered exploitation,” Glenn Thorpe, senior director of security research & detection engineering at Greynoise, said in an interview on Mastodon. “At the moment, we’ve seen 13 IPs that are hitting our unadvertised sensors, which indicates that they are pretty much spraying it across the internet to see what hits.”
CVE-2023-49103 resides in versions 0.2.0 and 0.3.0 of graphapi, an app that runs in some ownCloud deployments, depending on the way they’re configured. A third-party code library used by the app provides a URL that, when accessed, reveals configuration details from the PHP-based environment. In last week’s disclosure, ownCloud officials said that in containerized configurations—such as those using the Docker virtualization tool—the URL can reveal data used to log into the vulnerable server. The officials went on to warn that simply disabling the app in such cases wasn’t sufficient to lock down a vulnerable server.
CitrixBleed—have. Specifically, independent researcher Kevin Beaumont has noted that the CVE-2023-49103 vulnerability wasn’t introduced until 2020, isn’t exploitable by default, and was only introduced in containers in February.
“I don’t think anybody else actually checked if the vulnerable feature is enabled,” he said in an interview. What’s more, an ownCloud Web page showed graphapi had fewer than 900 installs at the time this post went live on Ars. ownCloud officials didn’t immediately respond to an email seeking technical details of the vulnerability and the precise conditions required for it to be exploited.
Given the potential threat posed by CVE-2023-49103, there’s still room for legitimate concern. According to security organization Shadowserver, a recent scan revealed more than 11,000 IP addresses hosting ownCloud servers, led by addresses in Germany, the US, France, Russia, and Poland. Even if only a small fraction of the servers are vulnerable, the potential for harm is real.
here and here.
In recent months, vulnerabilities in file sharing apps such as WS-FTP server, MOVEit, and IBM Aspera Faspex, and GoAnywhere MFT have enabled the compromise of thousands of enterprise networks. Anyone who ignores the threat posed by the recently fixed ownCloud flaws does so at their own peril.