November 28, 2023 at 11:16AM
Hackers are actively exploiting a critical vulnerability in the ownCloud file synchronization software that could lead to data breaches. The flaw, tracked as CVE-2023-49103, allows attackers to access sensitive information such as admin passwords, mail server credentials, and license keys. The vulnerability affects both containerized and non-containerized deployments, and administrators are urged to take immediate action to mitigate the risk. Deleting a specific file and changing potentially exposed secrets are recommended fixes. Currently, there are over 11,000 vulnerable instances, with the majority located in Germany, the United States, France, and Russia.
Key takeaways from the meeting notes are as follows:
1. Hackers are exploiting a critical vulnerability in ownCloud, tracked as CVE-2023-49103, which exposes sensitive information such as admin passwords, mail server credentials, and license keys in containerized deployments.
2. ownCloud is an open-source file synchronization and sharing solution used for self-hosted data management and sharing.
3. The developers of ownCloud have published security bulletins urging administrators to apply recommended mitigations immediately for three vulnerabilities that could lead to data breaches.
4. CVE-2023-49103 has a maximum CVSS severity score of 10.0 and allows remote threat actors to execute phpinfo(), revealing server environment variables and credentials within them.
5. Active exploitation of CVE-2023-49103 has been observed, with Greynoise reporting mass exploitation of the flaw starting on November 25, 2023.
6. Shadowserver also observes over 11,000 vulnerable instances, with a concentration in Germany, the United States, France, and Russia.
7. ownCloud administrators are urged to delete a specific file, disable the phpinfo() function in Docker containers, and change exposed secrets like admin passwords, mail server credentials, and access keys.
8. Disabling the graphapi app does not mitigate the threat, and the vulnerability affects both containerized and non-containerized environments.
9. Docker containers created before February 2023 are resistant to the credential disclosure problem.