Threat actors targeting critical OwnCloud vulnerability

The most critical of three OwnCloud vulnerabilities disclosed last week appears to be under active exploitation as of Monday.

On Tuesday, open source software platform OwnCloud detailed three vulnerabilities affecting its cloud file-sharing and syncing products. One was a WebDAV API authentication bypass vulnerability, tracked as CVE-2023-49105, that received a CVSS score of 9.8, and another was a subdomain validation bypass flaw, tracked as CVE-2023-49104, that scored a slightly lower CVSS rating at 8.7.

The third OwnCloud vulnerability, CVE-2023-49103, received the highest possible CVSS score of 10 and could allow an attacker to gather sensitive information about users' OwnCloud systems. OwnCloud warned that exploitation of the critical flaw could allow an attacker to gather admin password information, mail server credentials and license keys.

Threat actors are increasingly leveraging credential theft as identity-based attacks continue to rise.

CVE-2023-49103 affects OwnCloud's Microsoft Graph API app versions 0.2.0 through 0.3.0. Because the app relies on a third-party library, attackers could manipulate the URL provided by the API.

A security advisory published on Nov. 21 urged users to delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. The vendor also recommended changing OwnCloud admin passwords, mail server and database credentials, and S3 access keys. However, mitigation does not appear to be straightforward.

"It's important to emphasize that simply disabling the graphapi app does not eliminate the vulnerability," OwnCloud wrote in the security advisory.

Urgency to address the threat heightened Monday after nonprofit security organization The Shadowserver Foundation revealed on X, formerly known as Twitter, that it observed attempts to exploit CVE-2023-49103. The foundation urged users to follow OwnCloud's security advisory mitigation steps due to ease of exploitation.

We are sharing ownCloud instances we see in our scans (no vuln assessment, only accessibility) in our Device Identification report https://t.co/1uPaaDBQcc

Currently over 11K IPs being reported out (we are also working on adding additional fingerprints)https://t.co/kwKF6LY3i0 https://t.co/Qb2ytyJmKv pic.twitter.com/yY7g15bwSa

— Shadowserver (@Shadowserver) November 27, 2023

While CVE-2023-49105 also received a high CVSS score, OwnCloud said in a separate advisory that exploitation would require the attacker to know the victim's username and for that victim to have no signing key configured. OwnCloud said signing key configuration is the default protocol. Users should deny the use of pre-signed URLs if no signing key is configured for the owner of the files, because exploitation could allow an unauthenticated attacker to access, modify or delete files.

To address the subdomain validation bypass flaw, OwnCloud recommended hardening the validation code in the OAuth 2.0 app.

Recent attacks have shown that file-sharing products are a popular target for threat actors. In September, researchers revealed that more than 2,000 organizations were affected by the Clop ransomware gang's attack on Progress Software's MoveIt Transfer product. In January, threat actors exploited a vulnerability in Fortra's GoAnywhere managed file transfer software that led to continued fallout through April.

OwnCloud announced that it was acquired by Kiteworks on Nov. 21, the same day it disclosed all three cloud vulnerabilities. In a statement posted to its website, OwnCloud said it entered into a definitive agreement to merge with Kiteworks, a technology vendor focused on securing communication tools such as file-sharing products.

OwnCloud did not respond to requests for comment regarding active exploitation of CVE-2023-49103 at press time.

Arielle Waldman is a Boston-based reporter covering enterprise security news.