On November 21, 2023, ownCloud published advisories on three security vulnerabilities.
The most severe of these vulnerabilities is an information disclosure vulnerability tracked as CVE-2023-49103 (CVSS: 10). The vulnerability is within the “graphapi” extension and is due to a library it relies on. The library provides a URL that when accessed discloses configuration details regarding the PHP environment including environment variables. In containerized deployments, this could include the ownCloud admin password, mail server credentials, and license key. Docker containers from before February 2023 are not impacted by this vulnerability according to ownCloud. Arctic Wolf has identified a publicly available Proof of Concept (PoC) exploit and reports of mass exploitation attempts by threat actors since at least November 25 for this vulnerability.
The second most severe vulnerability included in the advisories is CVE-2023-49105 (CVSS: 9.8). This vulnerability is an authentication bypass vulnerability that could allow a remote, unauthenticated threat actor to modify or delete files if they know their target’s username and the target has no signing-key configured (which is the default).
The final vulnerability is CVE-2023-49104 (CVSS: 8.7) which is a subdomain bypass vulnerability within the oauth2 app. By passing a malicious redirect-url, a remote, unauthenticated threat actor could bypass validation and redirect callbacks to a domain controlled by the threat actor.
At this time, Arctic Wolf has not identified any reports of active exploitation in the wild for CVE-2023-49104 and CVE-2023-49105.
Recommendations for CVE-2023-49103, CVE-2023-49104, CVE-2023-49105
Recommendation #1: Upgrade ownCloud Instances
Arctic Wolf strongly recommends applying ownCloud’s patches.
Product | Affected Version | CVE | Fixed Version |
graphapi app | 0.2.0 – 0.3.0 | CVE-2023-49103 | 0.3.1 |
oauth2 app | < 0.6.1 | CVE-2023-49104 | 0.6.1 |
ownCloud core (Server) | 10.6.0 – 10.13.0 | CVE-2023-49105 | 10.13.1 and above |
Please follow your organization’s patching and testing guidelines to avoid any operational impact.
Recommendation #2: Take Additional Actions to Mitigate CVE-2023-49103
To mitigate against CVE-2023-49103, ownCloud advised to delete the following file:
owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php
ownCloud also recommended to change the following secrets:
- ownCloud admin password
- Mail server credentials
- Database credentials
- Object-Store/S3 access-key
Workaround: Disable “Allow Subdomains” Option to Mitigate CVE-2023-49104
In order for CVE-2023-49104 to be successfully exploited the “Allow Subdomains” option must be enabled.