**CRITICAL RISK** CVE-2023-49103 OwnCloud (graphAPI Extension < v0.3.1) – Disclosure of Sensitive Credentials to Unauthorised Actors via PhpInfo

Background & Context

ownCloud is an open-source software product for sharing and syncing of files in distributed and federated enterprise scenarios. It allows companies and remote end-users to organize their documents on servers, computers and mobile devices and work with them collaboratively, while keeping a centrally organized and synchronized state. ownCloud supports extensions like online document editing (Collabora, OnlyOffice, Microsoft 365 and Microsoft Online Office).

The “graphAPI” extension adds a user info endpoint to ownCloud Server which is based on the Microsoft Graph API specification. The user info endpoint enhances ownCloud Server 10 with capabilities for a Bridge setup which is a hybrid deployment between ownCloud Server 10 and ownCloud Infinite Scale. It enables ownCloud Infinite Scale components like the built-in Identity Provider (Kopano Konnect) for OpenID Connect authentication with ownCloud Server 10 to be used.

 

Vulnerability Summary

An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphAPI app relies on a third-party [[code:GetPhpInfo.php]] library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment ([[code:phpinfo]]). This information includes all the environment variables of the webserver. Additionally, [[code:phpinfo]] exposes various other potentially sensitive configuration details.

Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.

 

Impact If Exploited

Many of the exposed configuration details could be exploited by an attacker to gather information about the system. More critically, in some custom or containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password and mailserver credentials. An attacker could use these to takeover the ownCloud server.

NOTE: This vulnerability has been reported by the CISA (America’s Cyber Defense Agency) to be known to be currently actively exploited in the wild as of 2023-11-30. Public exploit code has been published “in the wild”. GreyNoise has observed mass exploitation of this vulnerability in the wild as early as November 25, 2023. Prioritisation should be given to remediation in any impacted environment.

 

Affected Product Versions

* OwnCloud GraphAPI extension prior to release 0.3.1

NOTE: Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern.

 

Remediation

Official Fix & Remediation Guidance

Simply disabling the graphAPI app does not eliminate the vulnerability. Update to the latest version.

The update removes the file [[code:owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php]]. Additionally, it disasbles the [[code:phpinfo()]] function in docker-containers.

The vendor also advise to change the following secrets:

* ownCloud admin password
* Mail server credentials
* Database credentials
* Object-Store/S3 access-key

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

 

Temporary Mitigation & Workarounds:

* Delete the file [[code:owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php]]
* Harden the validation code in the oauth2 app. As a workaround you can disable the “Allow Subdomains” option to disable the vulnerability (see [[https://owncloud.com/security-advisories/subdomain-validation-bypass/|link]]).
* Deny the use of pre-signed urls if no signing-key is configured for the owner of the files (see [[https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/|link]])

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.

 

References:

* [[https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/]]
* [[https://www.labs.greynoise.io/grimoire/2023-11-29-owncloud-redux/?_ga=2.262964169.478723668.1701422965-2037703102.1701422964]]

 

Category: Sensitive Data Disclosure

 

Detection

AppCheck has added a plugin to detect the flaw that will run as part of your standard scans.

 

About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses
URLs

Get in touch

Please enable JavaScript in your browser to complete this form.
Name