OwnCloud, a popular platform for file sharing and cloud storage, recently disclosed two critical vulnerabilities – CVE-2023-49103 and CVE-2023-49105. This post focuses on CVE-2023-49105, shedding light on its implications and necessary actions for users.
Here’s what you need to know:
What is CVE-2023-49105?
On November 21st, 2023, OwnCloud made public the discovery of three critical vulnerabilities affecting its cloud file-sharing and syncing products: CVE-2023-49103, CVE-2023-49104, and CVE-2023-49105. Among these, CVE-2023-49105 poses a significant risk, receiving a CVSS score of 9.8 due to its potential for privilege escalation and remote code execution.
CVE-2023-49105 is a severe security vulnerability with a CVSS score of 9.8, impacting OwnCloud versions 10.6.0 to 10.13.0. This vulnerability allows attackers to execute unauthorized commands, leading to potential privilege escalation and remote code execution (RCE).
Recent incidents targeting file-sharing products indicate a growing trend of threat actors exploiting vulnerabilities in such systems for malicious purposes. This vulnerability reiterates the importance of robust security measures in cloud-based file-sharing services.
CVE-2023-49105 poses a critical threat, enabling unauthorized access to sensitive data and potential system compromise. The urgency to address this vulnerability cannot be overstated, and immediate action based on OwnCloud’s recommendations is crucial to prevent exploitation and safeguard systems.
Exploiting this vulnerability involves the manipulation of the URL provided by the OwnCloud API, specifically impacting the Microsoft Graph API app versions 0.2.0 through 0.3.0.
An attacker without an account can seize control of all files belonging to any user on the server and, in specific cases, potentially execute remote code. The attacker exploits the lack of a user-specific key, allowing impersonation of any user via the website’s authenticated requests, such as WEBDAV and CALDAV. Attackers with standard account credentials can elevate their privileges to the administrator level. Subsequently, they can initiate remote code execution, effectively compromising the system.
Credential Change: Users are advised to update admin passwords, mail server and database credentials, and S3 access keys. However, the mitigation process might not be as straightforward as outlined by OwnCloud.
Does CVE-2023-49105 affect me?
CVE-2023-49105 affects OwnCloud users running versions between 10.6.0 and 10.13.0. The severity and potential wide-reaching impact of this vulnerability make it imperative to take immediate action.
Has CVE-2023-49105 been actively exploited in the wild?
Reports confirm active exploitation attempts of CVE-2023-49105, stressing the urgency for users to follow OwnCloud’s security advisory to prevent unauthorized access and potential system compromise. A nonprofit security organization, The Shadowserver Foundation, has confirmed attempts to exploit CVE-2023-49103, underscoring the urgency for users to adhere to OwnCloud’s mitigation steps.
How to fix CVE-2023-49105?
In its advisory, OwnCloud’s urgent recommendation includes deleting the specified file and changing critical credentials, emphasizing the complexity of mitigating the vulnerability: owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. Users are encouraged to patch for the Pre-Signed URL Issue of WebDAV API Authentication Bypass by upgrading to ownCloud Server 10.13.3.
Also a possibility is to deny the use of pre-signed URLs if no signing key is configured for the owner of the files.
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- Announcing the Attack Path Graph for end-to-end risk prioritization
- The Q3 2023 Vulnerability Watch report
- MITRE ATTACK framework – Mapping techniques to CVEs
- Exploit maturity: an introduction
- IBM’s Cost of a Data Breach report 2023 – what we learned
