CVE-2023-49103 – ownCloud Under Attack

ownCloud, a popular open-source file server facilitating secure storage, file-sharing, and collaboration, released information on several flaws that potentially exposed credential information. These are considered especially CRITICAL vulnerabilities if the ownCloud server is hosted in a containered enviroment (e.g. Docker). These vulnerabilities expose sensative information due to a default php page that was left open including passwords, api keys, tokens, and other enviroment variables.

The real issue here is that Docker/Kubernetes containers store sensative information in these enviroment variables by design and the default phpinfo page exposes these to anyone with the subpage URL.

Its’ under attack

Greynoise reports that attempts were first spotted over the thanskgiving weekend and are initially phishing for credentials that might be exposed in these servers.

Kaseya Customer Exposure

Among customers subscribed to our security products/services, we see 29 seperate customer enviroments running this application. Given the type of vulnerability (an openly hosted URL), alerts will likely not be present as finding malicious access attempts or credential theft is most easily determined via manual review of ownCloud’s server logs.

Recommendations

Customers are advised to shutdown these services until the patch can be applied. After patching, it is advised to rotate the ownCloud admin password and any S3 access keys, API keys or passwords that may have been stored in the server/container’s enviroment variables.

MITIGATION OPTION: If the patch cannot be immediately, you can also miitigate the vulnerability by deleting this file:

   owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php

Vulnerability Info

• Product: ownCloud Server
• Affected Versions: 0.2.x before 0.2.1 and 0.3.x before 0.3.1
• CVE: CVE-2023-49103 (CVSS 10.0)
• Type: Exposure of Sensitive Information (CWE-200)
• Disclosure/Publish Date: 21 November 2023
• Advisory: https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments
• First Patched Version: 0.2.2 and 0.3.2 (22 October 2023)
• First Exploited: Confirmed as early as 27 November 2023
• First Publicly Available Exploit:  21 November 2023

Description: ownCloud exposes a default GetPhpInfo.php url which, when accessed, reveals the configuration details of the PHP environment. This information includes all the environment variables of the webserver. In containerized enviroments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key.

If these sensative variables are present, and accessed by a malicious actor, there would be limited indicators of compromise due to the use of legitimate URLs and stolen passwords. This makes it imperative to review ownCloud server logs and change any exposed credentials.