ownCloud Users Beware: Act Now to Patch Critical Security Vulnerabilities

ownCloud, a widely used open-source file sync and share solution, has recently been the target of three critical security vulnerabilities, each posing significant risks to user data and privacy. These vulnerabilities, if left unaddressed, could allow attackers to gain unauthorized access to sensitive information, manipulate or delete files, and potentially compromise the integrity of the entire system.

1. CVE-2023-49103: Disclosure of sensitive credentials and configuration in containerized deployments

A staggering CVSS score of 10 underlines the severity of CVE-2023-49103. This vulnerability lies within the Graph API extension of the ownCloud Server. It inadvertently exposes sensitive credentials and configuration details through a URL linked to the graphapi app’s third-party library. When accessed, this URL reveals the PHP environment’s configuration, including critical environment variables of the webserver.

In containerized deployments, these variables may contain sensitive data like the ownCloud admin password, mail server credentials, and license key. Disabling the graphapi app is not sufficient to mitigate this risk. Furthermore, this vulnerability extends beyond containerized environments, exposing various other sensitive configuration details exploitable by attackers.

Actions Taken:

• Deletion of the GetPhpInfo.php file from the graphapi app’s vendor directory.
• Disabling the phpinfo function in docker-containers.
• Planned hardenings in future core releases.
• Advisory to change critical credentials, including admin passwords and server details.

2. CVE-2023-49104: The OAuth Subdomain Validation Bypass

With a CVSS score of 9.0, CVE-2023-49104 presents a significant threat. This vulnerability exists within the oauth2 app, where an attacker can input a specially crafted redirect URL. This action bypasses the validation code, allowing the attacker to redirect callbacks to a domain under their control.

Actions Taken:

• Strengthening the validation code in the oauth2 app.
• Disabling the “Allow Subdomains” option as a workaround.

3. CVE-2023-49105: The WebDAV API Authentication Bypass

CVE-2023-49105 scores a worrying 9.8 on the CVSS scale. This vulnerability affects the WebDAV protocol support in ownCloud. It enables unauthorized access, modification, or deletion of any file if the username is known and the victim hasn’t configured a signing key, which is the default setting.

Actions Taken:

• Denial of pre-signed URLs usage if no signing key is configured for the file owner.

Recommendations

In light of these vulnerabilities, it is strongly recommended to update ownCloud to the latest stable version, which includes the necessary patches to address all three issues. Additionally, users should regularly review and update their security practices to minimize the risk of future vulnerabilities.

For organizations and individuals relying on ownCloud, these developments underline the necessity of staying informed and promptly applying security updates and changes. In the relentless pursuit of digital security, awareness and responsiveness are key allies in protecting our digital assets.