Researching that have been keeping tabs on the issue are saying it is under “mass exploitation”. When an ownCloud server is under attack with this particular vulnerability, bad actors can gain access to the entirety of the server.
For those who don’t know, ownCloud is an open-source file-sharing server. It is used as a replacement for services like Google Drive and OneDrive and can be self-hosted.
The vulnerability in question is CVE-2023-49103. It resides in two versions of an app called “graphapi”. This app runs on some ownCloud deployments due to how they are configured. The specific issue is that there is a third-party library being used that provides a URL containing sensitive information for the server.
However, disabling the app in the server won’t necessarily fix the problem.
The “graphapi” app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key.
It’s important to emphasize that simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern.”
Excerpt from ownCloud advisory
There have been some people who are tracking how much the vulnerability is being exploited. Honeypots used to catch the hackers have noticed that requests have come in from 13 different IP addresses. But that number is slowly rising.
Shadowserver, an online security organization, has noted that over 11,000 IP addresses are hosting ownCloud servers residing in Germany, France, Russia, Poland, and the US. That doesn’t mean that they are all running the bad app, but an exploit is still an exploit.
ownCloud has provided a solution to fix the issue:
Delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. Additionally, we disabled the phpinfo function in our docker-containers. We will apply various hardenings in future core releases to mitigate similar vulnerabilities.
We also advise to change the following secrets:
– ownCloud admin password
– Mail server credentials
– Database credentials
– Object-Store/S3 access-key
Source: Ars Technica