In a concerning turn of events, hackers are actively exploiting a critical vulnerability, CVE-2023-49103, within the widely used open-source file synchronization and sharing solution, ownCloud. The severity of this flaw cannot be understated, with a maximum CVSS severity score of 10.0. The exploit allows remote threat actors to execute phpinfo() through ownCloud’s ‘graphapi’ app, thereby revealing sensitive environment variables, including admin passwords, mail server credentials, and license keys in containerized deployments.
ownCloud developers issued security bulletins on November 21, 2023, addressing three vulnerabilities that could potentially lead to devastating data breaches. Of the three, CVE-2023-49103 poses the most significant risk, especially for those utilizing containerized deployments.
“In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key,” warns the CVE-2023-49103 advisory. Disturbingly, the breach can extend to other services within the same environment if they share similar variants and configurations.
Security analysts have reported active exploitation of the vulnerability, with Greynoise observing mass exploitation in the wild since November 25, 2023. The threat tracking firm identified 12 unique IP addresses engaging in exploits, indicating a rising trajectory. Shadowserver echoes similar concerns, detecting over 11,000 exposed instances, predominantly located in Germany, the United States, France, and Russia.
As the exploitation of CVE-2023-49103 intensifies, ownCloud administrators are strongly urged to take immediate action to mitigate the risk. The recommended fix involves deleting the ‘owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php’ file, disabling the ‘phpinfo’ function in Docker containers, and changing potentially exposed secrets such as the ownCloud admin password, mail server credentials, database credentials, and Object-Store/S3 access keys.
Crucially, administrators should be aware that merely disabling the ‘graphapi’ app does not provide sufficient protection. The threat is equally severe for both containerized and non-containerized environments. The only exception is Docker containers created before February 2023, which remain resistant to the credential disclosure problem.
In conclusion, the urgency of addressing CVE-2023-49103 cannot be overstated. Swift action is imperative to prevent unauthorized access and potential data breaches. ownCloud users are advised to implement the recommended fixes immediately and stay vigilant for further updates from the developers.