Exploit Available for Docker Versions of ownCloud Affected by Recent Max. Severity Bug

Image credit: Shutterstock

More than 4,000 ownCloud instances remain exposed to attack via CVE-2023-49103; CISA adds vuln to KEV catalog.

Attack surface management vendor Onyphe has discovered a total of 4,129 Internet-connected instances of ownCloud that are exposed to attack via the recently disclosed unauthenticated disclosure vulnerability (CVE-2023-49103) in the open-source file sharing and synchronization software.

The number is substantially higher than what Onyphe had discovered in an initial scan and suggests a troublingly high number of organizations remain unpatched against the maximum severity flaw more 10 days after ownCloud disclosed it.

Docker Instances are Vulnerable to Exploit

Meanwhile, in a separate development, researchers at Rapid7 have confirmed that Docker installations of vulnerable ownCloud instances are, in fact, exploitable. Earlier in the week, Rapid7 had assessed that these instances were safe from an exploit for CVE-2023-49103 that become publicly available soon after ownCloud disclosed the vulnerability. In Rapid7’s words, subsequent research has confirmed “a technique is available that makes vulnerable Docker installations of ownCloud exploitable in a default configuration.”

ownCloud disclosed CVE-2023-49103 on Nov. 21 with a recommendation that customers upgrade to the latest 10.13.3 version of the software “as soon as possible”. The company described the flaw as giving adversaries a way to access email server credentials, admin passwords and license keys leaving organizations exposed to a variety of attacks.Unlike

The issue affects ownCloud instances when an extension called “Graph API” (graphapi) is present. The graphapi app relies on a third-party library that provides a URL. Because of a vulnerability in the extension, when the URL is accessed, it reveals the entire configuration details of the PHP environment (phpinfo), ownCloud said.  

Patch Now

The company recommended that in addition to upgrading, organizations should immediately remove the GetPhpInfo.php file because simply disabling it isn’t enough to eliminate the vulnerability. “Even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern,” because phpinfo can expose a whole lot of sensitive configuration info that an attacker can exploit, ownCloud said.

According to Rapid7, researchers initially assumed that exploits targeting vulnerable Docker installed of ownCloud would fail with a simple HTTP 302 redirect. But further research has shown than an adversary can in fact exploit these ownCloud instances by “modifying the requested URI such that it can bypass the existing Apache web server’s rewrite rules. allowing the target URI endpoint to be successfully reached.”

“As Docker passes secrets via environment variables, this allows an attacker to leak secrets such as the OWNCLOUD_ADMIN_USERNAME and OWNCLOUD_ADMIN_PASSWORD environment variables,” so they can login to the affected ownCloud system with admin privileges, Rapid7 said.

The vulnerability has received considerable attention both because of its severity and because of the fact that file-sharing technologies like ownCloud are a popular attacker target. In fact, just one day after ownCloud disclosed CVE-2023-49103, a public exploit for it became available and a couple of days later vendors began reporting incidents of exploit activity—including ransomware—targeting the flaw. On Nov 29, GreyNoise, which monitors malicious activity on the Internet reported observing mass exploit activity targeting the ownCloud flaw actually beginning on Nov 25, or just four days after flaw disclosure.

On Nov. 30, the United States Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-49103 to its catalog of known exploited vulnerabilities. All federal civilian executive branch agencies need to mitigate the flaw by Dec. 21 or stop using the technology after that date until they address it.