OwnCloud recently disclosed several vulnerabilities within its namesake open-source file-hosting application. Among these, one critical vulnerability (CVE-2023-49103) is currently being actively exploited by attackers. This flaw, rated with a maximum CVSS score of 10, allows malicious actors to pilfer credentials and license keys.
The vulnerability resides within the Graphapi app, which leverages a third-party library to provide a URL for retrieving PHP environment details, including sensitive data like OwnCloud admin passwords and mail server credentials. Notably, instances predating February 2023 in Docker containers remain unaffected by credential exposure.
Reports indicate a significant concentration of vulnerable systems in Germany, with over 11,000 systems worldwide at risk. Despite the gravity of the situation, merely deactivating the Graphapi app does not suffice as a solution.
OwnCloud advises administrators to delete the vulnerable file and promptly change exposed credentials. Additionally, two other vulnerabilities (CVE-2023-49104 and CVE-2023-49105) have been disclosed, further underscoring the urgency for mitigation efforts.
Despite OwnCloud’s patch release on September 1, an update to Graphapi version 0.3.1 remains imperative to safeguard systems. Threat actors have swiftly capitalized on this vulnerability since November 25, 2023, with multiple IPs involved in exploitation attempts.
Both Shadowserver and Greynoise corroborate the escalating threat landscape, necessitating immediate action from administrators to mitigate the risk. Disabling the ‘phpinfo’ function in Docker containers and fortifying passwords are crucial steps in thwarting potential breaches.
In conclusion, the exploitation of CVE-2023-49103 underscores the critical importance of swift and comprehensive security measures within the OwnCloud ecosystem.