CVE-2023-49103, CVE-2023-49104 and CVE-2023-49105: ownCloud Multiple Vulnerabilities

Date: 4/12/2023 | Prepared by: Joel D'Souza, Vulnerability Security Analyst

Purpose 

The purpose of this bulletin is to address three recently disclosed CRITICAL-risk vulnerabilities present in the ownCloud file-sharing platform. 

As these vulnerabilities allow potential attackers to extract administrator credentials and sensitive data from the platform, the Triskele Labs team advises that all organisations using this system follow the remediation steps outlined in the subsequent sections.  

The Australian Cyber Security Centre (ACSC) has recently seen mass exploitation of these vulnerabilities and has published an alert addressing them on November 29th, 2023. 

Additionally, the US Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2023-49103 in its Known Exploitable Vulnerabilities (KEV) list as they have found it to be weaponised and actively exploited. 

Containerised deployments through Docker have also been targeted and successfully exploited, according to ownCloud.  

Details 

On November 21st, 2023, ownCloud published the security advisory targeting three critical vulnerabilities (CVE-2023-49103, CVE-2023-49104, and CVE-2023-49105) with mitigation actions on their website. 

Each vulnerability exposed sensitive information and provided an easily accessible attack path to potential threat actors. The details of the vulnerabilities are listed below. 

• CVE-2023-49103 is the highest-rated vulnerability of the group, which exposed sensitive information about the deployment, administrative passwords, security keys and consequentially allows full authenticated access to the target server. CVE-2023-49103 affects the graphAPI versions 0.2.0 to 0.3.0. 
• CVE-2023-49104 is a critical vulnerability that could allow an attacker to bypass the built-in domain validation safeguards and create a connection back to a server under their control. This connection could be leveraged to exfiltrate significant amounts of data. CVE-2023-49104 affects oauth2 versions below 0.6.1. 
• CVE-2023-49105 is a critical vulnerability that allows an unauthenticated attacker to access, modify, or delete any file if a valid username is known. While this vulnerability requires the absence of a signing key, the default configuration of the platform has this option disabled. CVE-2023-49105 affects ownCloud Core versions 10.6.0 to 10.13.1 

While individually, each of these vulnerabilities poses a significant threat, collectively, they rapidly increase the likelihood of exploitation. 

As such, any ownCloud instance should be treated as an optimal target for a threat actor and patched as a priority for the business to prevent exfiltration of data and leakage of Personally Identifiable Information (PII) and other sensitive data. 

Mitigation Actions 

If you are utilising an ownCloud Server instance below version 10.13.3, we recommend reviewing the server logs for unusual activity. Triskele Labs recommends upgrading to ownCloud version 10.13.3 immediately to ensure permanent mitigation.  

In addition to the update, please refer to the following vendor security releases for additional mitigation steps: 

• https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/  
• https://owncloud.com/security-advisories/subdomain-validation-bypass/  
• https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/ 

Detection Capabilities 

Organisations can check their ownCloud instance for the following Indicators of Compromise (IoCs) in vulnerable versions of ownCloud provided by Cybersecurity company Rapid7 for CVE-2023-49103:  

Check for an HTTP GET request to a URI path containing the following in the Apache server’s access logs: 

/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php 

The indicator of a successful exploitation attempt will be an HTTP 200 response. 

Currently the successful exploitation of CVE-2023-49104 and CVE-2023-49105 has not been known to generate artifacts or logs that can be reproduced consistently. 

This bulletin will be updated if additional detection information is released. 

Triskele Labs DefenceShield customers with Assess (our Vulnerability Scanning service) are currently being evaluated. 

All customers with our Monitor service (24x7x365 Security Operations Centre, Managed Detection and Response) are - as always - being monitored for Indicators of Compromise (IOCs) and other suspicious activity.

References 

References used for the generation of this release: 

• https://nvd.nist.gov/vuln/detail/CVE-2023-49103 
• https://nvd.nist.gov/vuln/detail/CVE-2023-49104 
• https://nvd.nist.gov/vuln/detail/CVE-2023-49105 
• https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerabilities-owncloud-file-share
  
• https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerabilities-owncloud-file-share 
• https://owncloud.com/news/immediate-action-required-critical-security-updates-for-owncloud/ 
• https://www.rapid7.com/blog/post/2023/12/01/etr-cve-2023-49103-critical-information-disclosure-in-owncloud-graph-api/