Warning: Multiple critical vulnerabilities in ownCloud core that could lead to exposure of credentials and modification of files
- CVE-2023-49103
CVSS 3.1: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) - CVE-2023-49104
CVSS 3.1: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N) - CVE-2023-49105
CVSS 3.1: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Bronnen
- https://ownCloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/
- https://ownCloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/
- https://ownCloud.com/security-advisories/subdomain-validation-bypass/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Risico’s
CVE-2023-49103 is a critical vulnerability with a score of 10 in the Graph API extension of the ownCloud server. When exploited by a remote unauthenticated attacker, sensitive data such as credentials can be obtained. This offers an attacker a point to pivot within the environment that houses the ownCloud server. This affect the confidentiality, integrity and availability of information highly.
This vulnerability also has a Proof of Concept, and is actively being exploited.
CVE-2023-49104 is a critical vulnerability with a score of 9.0 in the oauth2 app in ownCloud server. It is a highly complex attack where a remote unauthenticated attacker can pass a specially crafted redirect-url which bypasses the validation code. This could allow an attacker to gain unauthorized access to user data and perform unauthorized.
CVE-2023-49105 is a critical vulnerability with a score of 9.8 in the WebDAV protocol support in ownCloud. A remote unauthenticated attacker could exploit this vulnerability to access, modify or delete files. This affects the confidentiality, integrity and availability of the information highly.
Beschrijving
ownCloud is a widely used open-source file sync and share solution. On the 21st of November 2023 ownCloud published 3 security advisories detailing 3 critical vulnerabilities in their ownCloud core solution. A summary of these 3 vulnerabilities are detailed below.
Exploitation of CVE-2023-49103 can lead to exposure of sensitive information to an unauthorized/unauthenticated attacker. The URL that is provided to the extension by a third-library include the configuration details of the PHP environment variables(phpinfo variable). This info includes sensitive data including ownCloud admin password, mail server credentials and license key. Especially instances that run in a containerized environment are vulnerable. But non containerized instances remain vulnerable as well due to the phpinfo variable also exposing sensitive configuration details.
CVE-2023-49104 is an Improper Access Control vulnerability within the oauth2 app. An attacker can pass a specially crafted redirect-url which bypasses the validation code. This allows the attacker to redirect callbacks to a TLD controlled by the attacker.
CVE-2023-49105 is an Improper initialization vulnerability in the WebDAV protocol support in ownCloud. An attacker could generate a pre-signed URL that enables unauthorized access, modification and deletion of any file. The prerequisites for the attack to success are:
- The attacker needs to know the victim’s username
- The victim does not have a signing key configured
Aanbevolen acties
Upgrade
The CCB recommends to upgrade all components to a version that is not vulnerable. These include:
- ownCloud core to v10.13.1
- ownCloud apps:
- https://marketplace.ownCloud.com/apps/graphapi [Graph API]: v0.3.1
- https://marketplace.ownCloud.com/apps/oauth2 [OAuth2]: v0.6.1
We also recommend to check other apps, and make sure they are up to date
Remediation measures and recommendations
- Change sensitive credentials: Reset the ownCloud admin password, mail server credentials, and database credentials.
- Disable Subdomains option in OAuth2 app: Disable the “Allow Subdomains” option in the OAuth2 app to mitigate the subdomain validation bypass vulnerability.
- Configure signing keys for WebDAV authentication: Configure signing keys for WebDAV users to prevent unauthorized access and data manipulation.
Monitor/Detect
It is important to notice that compromised instances will still be affected after upgrading to a fixed version. This is because the attacker can create administrator accounts in the vulnerable instance.
The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.