Open supply file sharing software program ownCloud is warning of three critical-severity safety vulnerabilities, together with one that may expose administrator passwords and mail server credentials.
ownCloud is an open-source file sync and sharing resolution designed for people and organizations wishing to handle and share information by way of a self-hosted platform.
It’s utilized by companies and enterprises, academic institutes, authorities businesses, and privacy-conscious people preferring to keep up management over their information reasonably than internet hosting it at third-party cloud storage suppliers. OwnCloud’s website stories 200,000 installs, 600 enterprise prospects, and 200 million customers.
The software program consists of a number of libraries and parts that work collectively to offer a variety of functionalities for the cloud storage platform.
Extreme information breach dangers
The event staff behind the mission issued three safety bulletins earlier this week, warning of three completely different flaws in ownCloud’s parts that would severely affect its integrity.
The primary flaw is tracked as CVE-2023-49103 and acquired a most CVSS v3 rating of 10. The flaw can be utilized to steal credentials and configuration info in containerized deployments, impacting all surroundings variables of the webserver.
Impacting graphapi 0.2.0 by way of 0.3.0, the issue arises from the app’s dependency on a third-party library that exposes PHP surroundings particulars by way of a URL, exposing ownCloud admin passwords, mail server credentials, and license keys.
The beneficial repair is to delete the ‘owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/assessments/GetPhpInfo.php’ file, disable the ‘phpinfo’ perform in Docker containers, and alter probably uncovered secrets and techniques just like the ownCloud admin password, mail server, database credentials, and Object-Retailer/S3 entry keys.
“It is essential to emphasise that merely disabling the graphapi app doesn’t eradicate the vulnerability,” warns the safety bulletin.
“Moreover, phpinfo exposes numerous different probably delicate configuration particulars that may very well be exploited by an attacker to assemble details about the system. Subsequently, even when ownCloud just isn’t working in a containerized surroundings, this vulnerability ought to nonetheless be a trigger for concern.”
The second subject, with a CVSS v3 rating of 9.8, impacts ownCloud core library variations 10.6.0 to 10.13.0, and is an authentication bypass downside.
The flaw makes it potential for attackers to entry, modify, or delete any file with out authentication if the consumer’s username is thought and so they haven’t configured a signing-key (default setting).
The printed resolution is to disclaim using pre-signed URLs if no signing secret is configured for the proprietor of the information.
The third and fewer extreme flaw (CVSS v3 rating: 9) is a subdomain validation bypass subject impacting all variations of the oauth2 library under 0.6.1.
Within the oauth2 app, an attacker can enter a specifically crafted redirect URL that bypasses the validation code, permitting redirection of callbacks to a site managed by the attacker.
The beneficial mitigation is to harden the validation code within the Oauth2 app. A brief workaround shared within the bulletin is to disable the “Permit Subdomains” choice.
The three safety flaws described within the bulletins considerably affect the safety and integrity of the ownCloud surroundings, probably resulting in publicity of delicate info, stealthy information theft, phishing assaults, and extra.
Safety vulnerabilities in file-sharing platforms have been below fixed assault, with ransomware teams, like CLOP, utilizing them in information theft assaults on thousnads of firms worldwide.
As a consequence of this, it’s important for ownCloud directors to right away apply the beneficial fixes and carry out the library updates as quickly as potential to mitigate these dangers.
