Security researchers are tracking what they say is the “mass exploitation” of a security vulnerability that makes it possible to take full control of servers running ownCloud, a widely used open-source filesharing server app.
The vulnerability, which carries the maximum severity rating of 10, makes it possible to obtain passwords and cryptographic keys allowing administrative control of a vulnerable server by sending a simple Web request to a static URL, ownCloud officials warned last week. Within four days of the November 21 disclosure, researchers at security firm Greynoise said, they began observing “mass exploitation” in their honeypot servers, which masqueraded as vulnerable ownCloud servers to track attempts to exploit the vulnerability. The number of IP addresses sending the web requests has slowly risen since then. At the time this post went live on Ars, it had reached 13.
Spraying the Internet
“We’re seeing hits to the specific endpoint that exposes sensitive information, which would be considered exploitation,” Glenn Thorpe, senior director of security research & detection engineering at Greynoise, said in an interview on Mastodon. “At the moment, we’ve seen 13 IPs that are hitting our unadvertised sensors, which indicates that they are pretty much spraying it across the internet to see what hits.”
CVE-2023-49103 resides in versions 0.2.0 and 0.3.0 of graphapi, an app that runs in some ownCloud deployments, depending on the way they’re configured. A third-party code library used by the app provides a URL that, when accessed, reveals configuration details from the PHP-based environment. In last week’s disclosure, ownCloud officials said that in containerized configurations—such as those using the Docker virtualization tool—the URL can reveal data used to log into the vulnerable server. The officials went on to warn that simply disabling the app in such cases wasn’t sufficient to lock down a vulnerable server.
The ownCloud advisory explained:
The “graphapi” app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key.
It’s important to emphasize that simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern.
Not all security practitioners regard the vulnerability as posing a widespread threat, the way other vulnerabilities—most recently the vulnerability tracked as CVE-2023-4966 and CitrixBleed—have. Specifically, independent researcher Kevin Beaumont has noted that the CVE-2023-49103 vulnerability wasn’t introduced until 2020, isn’t exploitable by default, and was only introduced in containers in February.
“I don’t think anybody else actually checked if the vulnerable feature is enabled,” he said in an interview. What’s more, an ownCloud Web page showed graphapi had fewer than 900 installs at the time this post went live on Ars. ownCloud officials didn’t immediately respond to an email seeking technical details of the vulnerability and the precise conditions required for it to be exploited.
Given the potential threat posed by CVE-2023-49103, there’s still room for legitimate concern. According to security organization Shadowserver, a recent scan revealed more than 11,000 IP addresses hosting ownCloud servers, led by addresses in Germany, the US, France, Russia, and Poland. Even if only a small fraction of the servers are vulnerable, the potential for harm is real.