November 28, 2023 at 10:00AM
Threat actors are actively exploiting a critical information disclosure vulnerability in ownCloud’s Graphapi app. The vulnerability allows attackers to retrieve sensitive credentials and system information. The flaw affects Graphapi versions 0.2.0 to 0.3.0 and cannot be mitigated by disabling the app alone. Administrators are urged to follow the mitigation steps outlined by ownCloud. The vulnerability has been identified in approximately 11,000 exposed ownCloud instances globally, with the highest number in Germany, followed by the US and France.
Key Takeaways from Meeting Notes:
1. An information disclosure vulnerability has been discovered in ownCloud’s open source file-sharing and collaboration software.
2. The vulnerability, tracked as CVE-2023-49103, affects the Graphapi app and allows attackers to retrieve sensitive environment variables and system information.
3. The flaw affects Graphapi versions 0.2.0 to 0.3.0 and cannot be mitigated by disabling the Graphapi app.
4. Remediation steps include changing passwords for administrative accounts, access keys, and credentials for the mail server and database.
5. The vulnerability was disclosed by ownCloud on November 21, along with two other critical issues (CVE-2023-49104 and CVE-2023-49105).
6. The US cybersecurity agency CISA included the vulnerabilities in its weekly vulnerability roundup.
7. In-the-wild exploitation attempts targeting CVE-2023-49103 have been detected.
8. Nonprofit organization Shadowserver Foundation identified around 11,000 exposed ownCloud instances potentially at risk.
9. Majority of the exposed instances are located in Germany, followed by the US, France, Russia, Poland, the Netherlands, Italy, the UK, Canada, and Spain.
10. The vulnerability is described as easy to exploit, and administrators are urged to follow ownCloud’s recommended mitigation steps.
11. Attack activity targeting the vulnerability started on November 25 and has increased since then.
12. Some experts suggest that the attacks may be coordinated efforts by threat actors or botnets, while others believe they could be opportunistic attempts to exploit old vulnerabilities or weak passwords.