Experts warn of critical ownCloud vulnerability being exploited

Several security research companies are warning that a recently disclosed vulnerability affecting ownCloud is being exploited by hackers, ramping up the urgency for organizations to address the bug as soon as possible.

ownCloud is popular open-source software used to share files, contacts and calendar information. On November 21, the company warned of CVE-2023-49103 — a vulnerability that carries the maximum CVSS severity score of 10 and exposes sensitive information if exploited.

Two organizations — Shadowserver and GreyNoise — warned that the vulnerability is being exploited in attacks.

GreyNoise’s Glenn Thorpe wrote on Monday that the bug affects the “graphapi” app used in ownCloud and allows attackers to access admin passwords, mail server credentials, and license keys.

ownCloud added in its advisory that the bug “exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system.”

“Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern,” the company noted.

ownCloud urged customers to delete certain files and said it would “apply various hardenings in future core releases to mitigate similar vulnerabilities.” They also said customers should change their ownCloud admin password, mail server credentials, database credentials and the Object-Store/S3 access-key.

The company disclosed two other vulnerabilities the same day that also had a high CVSS scores of 9.8 and 9 respectively.

We are sharing ownCloud instances we see in our scans (no vuln assessment, only accessibility) in our Device Identification report https://t.co/1uPaaDBQcc

Currently over 11K IPs being reported out (we are also working on adding additional fingerprints)https://t.co/kwKF6LY3i0 https://t.co/Qb2ytyJmKv pic.twitter.com/yY7g15bwSa

— Shadowserver (@Shadowserver) November 27, 2023

Thorpe said they began to see exploitation on November 25 with a large spike in attempts on Sunday and Monday — with at least 12 unique IP addresses targeting the vulnerability. Shadowserver said its own scans have revealed thousands of vulnerable instances in Germany, U.S., France and Russia.

Johannes Ullrich, dean of research at the SANS Technology Institute, echoed those findings but noted that hackers typically target ownCloud in an effort to “find instances of ownCloud to exploit old vulnerabilities or attempt weak passwords.”

The Cybersecurity and Infrastructure Security Agency (CISA) included all three issues in its vulnerability roundup bulletin where they spotlight new bugs experts should be aware of.