CVE-2023-49103, CVE-2023-49104, and CVE-2023-49105: Multiple Critical Vulnerabilities in ownCloud

Share :

On November 21, 2023, ownCloud published advisories on three security vulnerabilities. 

The most severe of these vulnerabilities is an information disclosure vulnerability tracked as CVE-2023-49103 (CVSS: 10). The vulnerability is within the “graphapi” extension and is due to a library it relies on. The library provides a URL that when accessed discloses configuration details regarding the PHP environment including environment variables. In containerized deployments, this could include the ownCloud admin password, mail server credentials, and license key. Docker containers from before February 2023 are not impacted by this vulnerability according to ownCloud. Arctic Wolf has identified a publicly available Proof of Concept (PoC) exploit and reports of mass exploitation attempts by threat actors since at least November 25 for this vulnerability. 

The second most severe vulnerability included in the advisories is CVE-2023-49105 (CVSS: 9.8). This vulnerability is an authentication bypass vulnerability that could allow a remote, unauthenticated threat actor to modify or delete files if they know their target’s username and the target has no signing-key configured (which is the default). 

The final vulnerability is CVE-2023-49104 (CVSS: 8.7) which is a subdomain bypass vulnerability within the oauth2 app. By passing a malicious redirect-url, a remote, unauthenticated threat actor could bypass validation and redirect callbacks to a domain controlled by the threat actor. 

At this time, Arctic Wolf has not identified any reports of active exploitation in the wild for CVE-2023-49104 and CVE-2023-49105. 

Recommendations for CVE-2023-49103, CVE-2023-49104, CVE-2023-49105

Recommendation #1: Upgrade ownCloud Instances

Arctic Wolf strongly recommends applying ownCloud’s patches. 

Product  Affected Version  CVE  Fixed Version 
graphapi app  0.2.0 – 0.3.0  CVE-2023-49103  0.3.1 
oauth2 app  < 0.6.1  CVE-2023-49104  0.6.1 
ownCloud core (Server)  10.6.0 – 10.13.0  CVE-2023-49105  10.13.1 and above 

 

Please follow your organization’s patching and testing guidelines to avoid any operational impact. 

Recommendation #2: Take Additional Actions to Mitigate CVE-2023-49103

To mitigate against CVE-2023-49103, ownCloud advised to delete the following file: 

owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php 

ownCloud also recommended to change the following secrets: 

  1. ownCloud admin password 
  2. Mail server credentials 
  3. Database credentials 
  4. Object-Store/S3 access-key 

Workaround: Disable “Allow Subdomains” Option to Mitigate CVE-2023-49104

In order for CVE-2023-49104 to be successfully exploited the “Allow Subdomains” option must be enabled. 

References 

  1. ownCloud advisory on CVE-2023-49103
  2. ownCloud advisory on CVE-2023-49104 
  3. ownCloud advisory on CVE-2023-49105 
  4. GreyNoise report
Steven Campbell

Steven Campbell

Steven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.
Share :
Table of Contents
Categories