Last updated at Fri, 01 Dec 2023 22:11:26 GMT
Rapid7 is responding to CVE-2023-49103, an unauthenticated information disclosure vulnerability impacting ownCloud.
Background
ownCloud is a file sharing platform designed for enterprise environments. On November 21, 2023, ownCloud disclosed CVE-2023-49103, an unauthenticated information disclosure vulnerability affecting ownCloud, when a vulnerable extension called “Graph API” (graphapi) is present. If ownCloud has been deployed via Docker, from February 2023 onwards, this vulnerable graphapi component is present by default. 如果手动安装了ownCloud,则默认不存在graphapi组件.
Searching for ownCloud via Shodan indicates there are at least 12,320 instances on the internet (as of Dec 1, 2023). It is unknown how many of these are currently vulnerable.
文件传输和共享平台过去曾受到勒索软件组织的攻击, making this a target of particular concern, as ownCloud is also a file sharing platform. On November 30, 2023, CISA added CVE-2023-49103 to its known exploitable vulnerabilities (KEV) list, indicating threat actors have begun to exploit this vulnerability in the wild. 在撰写本文时,Rapid7实验室已经观察到针对至少三个客户环境的攻击企图.
该漏洞允许未经身份验证的攻击者通过PHP函数的输出泄露敏感信息。phpinfo/apps/ graphi /vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php”. This output will include environment variables which may hold secrets, such as user names or passwords that are supplied to the ownCloud system. Specifically, when ownCloud is deployed via Docker, it is common practice to pass secrets via environment variables.
虽然最初认为Docker安装的ownCloud是不可利用的, Rapid7 researchers have now confirmed (as of Nov 30, 2023) that it is possible to exploit vulnerable Docker-based installations of ownCloud, 通过修改请求的URI,使其可以绕过现有的Apache web服务器的重写规则, allowing the target URI endpoint to be successfully reached.
Previously, 人们认为,任何试图利用基于docker的易受攻击的ownCloud安装都将通过HTTP 302重定向失败, however using this new technique, 成功利用基于docker的易受攻击的ownCloud安装是可能的. As Docker passes secrets via environment variables, 这允许攻击者泄露诸如OWNCLOUD_ADMIN_USERNAME和OWNCLOUD_ADMIN_PASSWORD环境变量之类的机密, which will contain the username and password for the admin user, 允许攻击者以管理员权限登录受影响的ownCloud系统.
Timeline of events:
- November 21, 2023 - The vendor ownCloud published an advisory for CVE-2023-49103.
- http://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/
- 2023年11月22日——最初的漏洞被发布,但Rapid7的研究人员证实(see AttackerKB)这个特定的漏洞无法成功利用基于docker的易受攻击的ownCloud安装.
- http://github.com/creacitysec/CVE-2023-49103
- 2023年11月27日——GreyNoise报告称,早在2023年11月25日就发现了攻击企图.
- http://www.greynoise.io/blog/cve-2023-49103-owncloud-critical-vulnerability-quickly-exploited-in-the-wild
- November 29, 2023 - Rapid7 research published an AttackerKB assessment, 详细说明了当前的公共漏洞如何无法成功利用通过Docker安装的易受攻击的ownCloud实例.
- http://attackerkb.com/assessments/a2b1b41a-0a26-4226-a53b-ae72e6c65107
- 2023年11月30日- CISA将CVE-2023-49103添加到其已知可利用漏洞(KEV)列表中.
- http://www.cisa.gov/known-exploited-vulnerabilities-catalog
- November 30, 2023年,Rapid7的研究证实了一种技术,可以在默认配置中利用易受攻击的ownCloud docker安装.
Affected Products
请注意:有关受影响版本或可利用性需求的信息可能会随着我们对威胁的了解而变化.
受影响的产品是ownCloud Graph API扩展,特别是版本0.2.x before 0.2.1 and 0.3.x before 0.3.1. CVE-2023-49103 has been remediated in version 0.3.1 and 0.2.1 of graphapi, released on September 1st 2023.
You can find more details on the vendor page: http://marketplace.owncloud.com/apps/graphapi
Mitigation guidance
To remediate CVE-2023-49103, the vulnerable graphapi component should be updated to 0.3.1 as per the vendor advisory. 如果下面的文件出现在ownCloud安装中,应该删除它:
/owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php
通过将PHP函数“phpinfo”添加到PHP禁用函数列表中,ownCloud安装可能会进一步加强, in the appropriate PHP ini configuration file. Since disclosing CVE-2023-49103, ownCloud已经在几个最新版本的官方Docker容器镜像中添加了这个强化功能. 在此之前发布的Docker镜像构建的Docker容器将不会应用更新的加固,除非它们的镜像被重新构建.
It is highly recommended to update ownCloud to at least version 10.13.1, 当graphapi作为ownCloud的完整包的一部分发布时,这将解决CVE-2023-49103问题. Version 10.13.1 also resolves two other vulnerabilities:
- CVE-2023-49104: A subdomain validation bypass in the oauth2 component
- CVE-2023-49105: A WebDAV API authentication bypass.
All 3 vulnerabilities were disclosed by ownCloud on November 21, 2023.
Indicators of Compromise
CVE-2023-49103的妥协指标将是对Apache服务器访问日志中包含以下内容的URI路径的HTTP GET请求的存在:
/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php
A successful request will receive an HTTP 200 response. For example, 对基于docker的易受攻击的ownCloud安装的成功利用尝试将有一个日志文件条目,看起来像这样(在框中一直向右滚动):
192.168.86.[01/Dec/ 23:09:32:57 +0000] "GET /apps/ graphpi /vendor/microsoft/microsoft-graph/tests/GetPhpInfo ..php/.css HTTP/1.1" 200 30939 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
When exploiting a Docker-based installation, the attacker must append an extra path segment to the target URI path, such as `/.css`, 以绕过Apache重写规则,并允许成功到达目标端点. Due to how the .ownCloud中的htaccess文件指定了多个绕过重写规则的潜在文件扩展名, the additional path segment an attacker can use may be one of several values, as listed below:
/.css
/.js
/.svg
/.gif
/.png
/.html
/.ttf
/.woff
/.ico
/.jpg
/.jpeg
/.json
/.properties
/.min.map
/.js.map
/.auto.map
如果一个易受攻击的ownCloud服务器将PHP函数' phpinfo '添加到其禁用函数列表中, no content will be returned to the attacker, and the HTTP response will have a Content-Length of zero.
失败的利用尝试将看到包含404或302响应代码的HTTP响应.
Rapid7实验室有一个Sigma规则,可以帮助组织识别与此漏洞相关的可能的利用活动链接: http://github.com/rapid7/Rapid7-Labs/tree/main/Sigma
Rapid7 Customers
InsightVM和expose客户可以通过对unix系统的身份验证检查来评估他们对CVE-2023-49103的暴露程度, scheduled for today’s (December 1) content release.
Please note: Emergent threats evolve quickly. As we learn more about this vulnerability, this blog post will also evolve. This page will serve as the anchor for our findings, product coverage, 以及其他可以帮助您减轻和修复此威胁的重要信息.
我们的目的是向你提供尽可能多的信息,我们可以自信地核实, as early as possible, 但我们要明白,全面的情况需要一些时间才能显现出来. 我们将实时更新这篇博文,因为我们了解了有关此漏洞的更多细节,并对攻击向量进行了深入的技术分析.
