ownCloud Vulnerability With Maximum 10 Severity Score Comes Under 'Mass' Exploitation (arstechnica.com) 20
An anonymous reader quotes a report from Ars Technica: Security researchers are tracking what they say is the "mass exploitation" of a security vulnerability that makes it possible to take full control of servers running ownCloud, a widely used open source file-sharing server app. The vulnerability, which carries the maximum severity rating of 10, makes it possible to obtain passwords and cryptographic keys allowing administrative control of a vulnerable server by sending a simple Web request to a static URL, ownCloud officials warned last week. Within four days of the November 21 disclosure, researchers at security firm Greynoise said, they began observing "mass exploitation" in their honeypot servers, which masqueraded as vulnerable ownCloud servers to track attempts to exploit the vulnerability. The number of IP addresses sending the web requests has slowly risen since then. At the time this post went live on Ars, it had reached 13.
CVE-2023-49103 resides in versions 0.2.0 and 0.3.0 of graphapi, an app that runs in some ownCloud deployments, depending on the way they're configured. A third-party code library used by the app provides a URL that, when accessed, reveals configuration details from the PHP-based environment. In last week's disclosure, ownCloud officials said that in containerized configurations -- such as those using the Docker virtualization tool -- the URL can reveal data used to log in to the vulnerable server. The officials went on to warn that simply disabling the app in such cases wasn't sufficient to lock down a vulnerable server. [...]
To fix the ownCloud vulnerability under exploitation, ownCloud advised users to: "Delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. Additionally, we disabled the phpinfo function in our docker-containers. We will apply various hardenings in future core releases to mitigate similar vulnerabilities.
We also advise to change the following secrets:
- ownCloud admin password
- Mail server credentials
- Database credentials
- Object-Store/S3 access-key"
CVE-2023-49103 resides in versions 0.2.0 and 0.3.0 of graphapi, an app that runs in some ownCloud deployments, depending on the way they're configured. A third-party code library used by the app provides a URL that, when accessed, reveals configuration details from the PHP-based environment. In last week's disclosure, ownCloud officials said that in containerized configurations -- such as those using the Docker virtualization tool -- the URL can reveal data used to log in to the vulnerable server. The officials went on to warn that simply disabling the app in such cases wasn't sufficient to lock down a vulnerable server. [...]
To fix the ownCloud vulnerability under exploitation, ownCloud advised users to: "Delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. Additionally, we disabled the phpinfo function in our docker-containers. We will apply various hardenings in future core releases to mitigate similar vulnerabilities.
We also advise to change the following secrets:
- ownCloud admin password
- Mail server credentials
- Database credentials
- Object-Store/S3 access-key"
Come on (Score:5, Funny)
We all want to say it. ownCloud is owned.
Re: (Score:2)
Ah, the many Microsoft eyes.
As the history teaches us, most of them are blind.
Re: (Score:3)
pwnCloud?
TBH I used to run it, now Nextcloud, and at one point some instructions said to chmod 777 everything and in 'Advanced Concepts' was a 'hardening' page, which of course should have been the default.
Hopefully that's much better by now? I wound up having puppet set permissions so upgrades would just get fixed without lapses. I am OK with GUI errors like "can't overwrite config file!" without intervention.
Either that or sysadmins form an international guild and are issued crossbows and local hacker h
Re: (Score:2)
It's best not to try to run your own public facing servers. Unless you are willing to dedicate a lot of time and effort to securing them, and keeping them secure, it's too risky.
If you want cloud stuff like this but must host it yourself, the best option is to make it LAN only and then set up a single VPN entry point.
Re: (Score:3)
"at one point some instructions said to chmod 777 everything"
If I saw that in software instructions, I would immediately decide never to use anything written by that company ever again.
Microsoft PHP code... (Score:4, Insightful)
Of course someone would leave in a copy of GetPhpInfo.php. By now version control systems should just disallow committing the file by name alone.
who the hell would use PHP? (Score:2)
This is an own goal.
Re: (Score:2)
Re: (Score:3)
It appears to be a bit more complicated than that. The existence of that file isn't necessarily a problem, if the web server is properly configured to not allow access to it. It seems that the script that sets up access rights during installation is flawed.
The directory where GetPhpInfo.php resides is named "tests" and clearly should not be accessible publicly.
nextcloud not affected (Score:2)
Re: (Score:3)
Came to say the same, Nextcloud does not appear to be affected by this issue.
However, Nextcloud did have some CVEs recently that are important:
https://www.cisa.gov/news-even... [cisa.gov] (search results for nextcloud)
Still worth making sure Nextcloud is up to date for its own reasons.
Re: (Score:2)
ownCloud.... (Score:2)
It's not a problem with ownCloud specifically (Score:4, Interesting)
Re: It's not a problem with ownCloud specifically (Score:4, Funny)
remember they look up to java devs who can understand the undecipherable scrolls at baeldung.com. advanced stuff.
we live in the plot of Idiocracy
That's not many addresses. At all. (Score:3)
TinFoilHat = on (Score:2)
Delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php
Can this be malice, or just incompetence?
Open source cloud crap is still crap (Score:3)
Remember kids: the most secure data is the data you don't upload anywhere.