On 21 November 2023 ownCloud announced three major vulnerabilities in their core (CVE-2023-49105), oauth (CVE-2023-49104), and graphapi (CVE-2023-49103) libraries.
The Edgio Security suite of products can expedite zero-day remediation by enabling virtual patching, helping to stay ahead of these evolving threats. Although we provide protection from these threats to our customers through our default rules, we highly recommend taking the recommended actions as per vendor instructions for all affected devices as well. Should you have concerns or require additional support in safeguarding your ownCloud instance contact Edgio SOC email tickets@edg.io for assistance.
Recommendations:
Disclosure of Sensitive Credentials and Configuration in Containerized Deployments (CVE-2023-49103):
- CVSS score: 10.0 CRITICAL
- Impact: This critical vulnerability affects ownCloud/graphapi versions 0.2.x before 0.2.1 and 0.3.x before 0.3.1. It exposes configuration details of the PHP environment, including sensitive data such as the ownCloud admin password, mail server credentials, and license key/s. Simply disabling the graphapi app does not eliminate the vulnerability.
- Action: Delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. Disable the phpinfo function in docker-containers. Change ownCloud admin password, mail server credentials, database credentials, and Object-Store/S3 access key.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49103
Subdomain Validation Bypass (CVE-2023-49104):
- CVSS Score: 8.7 HIGH
- Impact: This critical vulnerability affects ownCloud/oauth2 versions before 0.6.1. It allows an attacker to pass a specially crafted redirect-url, that bypasses any redirect URL validation and redirects callbacks to any alternate Top-Level Domain controlled by the attacker when the “Allow Subdomains” function is enabled.
- Action: Harden the attribute validation code in the oauth2 app. As a workaround, the “Allow Subdomains” option can be disabled to protect against the vulnerability.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49104
https://owncloud.com/security-advisories/subdomain-validation-bypass/
WebDAV API Authentication Bypass using Pre-Signed URLs (CVE-2023-49105):
- CVSS Score: 9.8 CRITICAL
- Impact: This high-risk issue affects ownCloud/core versions 10.6.0 to 10.13.0. An attacker can access, modify, or delete any file without authentication if they know the victim’s username and the victim has no signing-key configured.
- Action: Deny the use of pre-signed URLs if “signing-key” is not configured for the owner of the files.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49105
https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/
It’s essential for users and administrators of ownCloud to regularly review security advisories and implement suggested measures to protect their systems.