ownCloud Security Vulnerability Under 'Mass Exploitation' by Hackers

ownCloud security vulnerability under "mass exploitation."

Hackers are taking advantage of ownCloud's security vulnerability and conducting a "mass exploitation" to potentially take full control of the open-source file-sharing software's servers.

Several security research companies have expressed warnings of the recently discovered vulnerability. The situation has ramped up urgency for organizations to address the bug as soon as possible to minimize potential damages and consequences.

ownCloud Security Vulnerability

ownCloud Security Vulnerability Under 'Mass Exploitation' by Hackers
A security vulnerability of ownCloud's graphapi has resulted in "mass exploitation" that threatens to gain access to users' credentials. Leon Neal/Getty Images

ownCloud is a popular open-source software that people and organizations use to share files, contacts, and calendar info. On Tuesday, the company warned of CVE-2023-49108, which is a vulnerability that carries the maximum CVSS security score of 10 and exposes sensitive information if it is exploited.

Shadowserver and GreyNoise are two organizations that issued warnings that ownCloud's vulnerability is being exploited in mass attacks. On Monday, GreyNoise's Glenn Thorpe said that the bug is affecting the "graphapi" app that is used in ownCloud. It is supposedly allowing attackers to access admin passwords, mail server credentials, and license keys, as per The Record.

In its advisory, ownCloud added that the bug "exposes various other potentially sensitive configuration details that could be exploited by an attacker or to gather information about the system." It noted that even if the software is not running in a containerized environment, the vulnerability should still be a cause for concern.

The company urged its customers to delete certain files and said that it would apply various hardenings in future core releases to mitigate similar vulnerabilities. It recommended that customers change their ownCloud admin password, mail server credentials, database credentials, and the Object-Store/S3 access key.

Furthermore, ownCloud disclosed two other vulnerabilities that same day that also had high CVSS scores of 9.9 and 9 respectively. Thorpe noted that they began to see the exploitation of the bug on Nov. 25 after seeing a large spike in attempts on Sunday and Monday.

Threat to User Credentials

Thorpe said that they saw 13 IPs that were hitting their unadvertised sensors, which suggested that they are pretty much spraying it across the internet to see what hits. Given the threat of the vulnerability, there is still some room for legitimate concern, according to ArsTechnica.

On the other hand, Shadowserver reported similar observations and warned that it currently detects more than 11,000 exposed instances. Most of these are located in Germany, the United States, France, and Russia.

ownCloud's recommended fix to the threat is to delete the GetPhpInfo.php file, disable the "phpinfo" function in Docker containers, and change potentially exposed credentials. It was also important to note that disabling the graphapi app does not work in mitigating the threat of the security vulnerability.

Experts said that the only case resistant to the credential disclosure problem is Docker containers that were created before February 2023, said Bleeping Computer.

Shadowserver officials said that the relative ease of the exploitation has resulted in the surge of attempts to gain access to other people's credentials. Fortunately, the other two vulnerabilities have had no reports of being exploited. However, users should still follow the ownCloud's instructions to mitigate potential risks.

Real Time Analytics