Threat actors have started exploiting a critical information disclosure vulnerability in the open source file-sharing and collaboration software ownCloud only days after its public disclosure.
The vulnerability, tracked as CVE-2023-49103, impacts the Graphapi app, allowing attackers to retrieve sensitive environment variables, including credentials, license keys, and other system information.
Impacting Graphapi versions 0.2.0 to 0.3.0, the flaw cannot be mitigated by disabling the Graphapi app, and also requires changing passwords for administrative accounts, access keys, and credentials for the mail server and database.
ownCloud disclosed the vulnerability on November 21, along with two other critical issues in the software (CVE-2023-49104 and CVE-2023-49105). On Monday, the US cybersecurity agency CISA included the bugs in its weekly vulnerability roundup, without a severity rating.
Also on Monday, attack activity and exposed asset tracking services issued warnings about the first in-the-wild exploitation attempts targeting CVE-2023-49103.
Nonprofit cybersecurity organization Shadowserver Foundation warned that it has identified roughly 11,000 ownCloud instances that are exposed to the internet, and which are potentially at risk.
The largest number of these instances are in Germany (2,000), followed by the US (1,400), and France (1,300). Russia, Poland, the Netherlands, Italy, the UK, Canada, and Spain round up top 10, with hundreds of instances each.
Shadowserver warns that the vulnerability is very easy to exploit, urging administrators to follow the mitigation steps outlined by ownCloud.
According to data from Greynoise, the targeting of CVE-2023-49103 started on November 25, with attacks originating from a single IP address. The number of exploitation attempts increased on Monday, with 11 unique IPs joining the fray.
Johannes Ullrich of the SANS Internet Storm Center too warned of activity targeting the ownCloud vulnerability, detailing five IPs involved in the observed attacks, which have scanned for files within vulnerable ownCloud instances.
“This pattern can suggest potential coordinated efforts by threat actors or botnets aiming to exploit the disclosed security flaw,” SOC Radar notes.
Ullrich, however, points out that there is a steady flow of attacks targeting ownCloud instances, many of which “are likely just attempting to find instances of ownCloud to exploit old vulnerabilities or attempt weak passwords”.