Security experts have urged ownCloud customers to mitigate a critical zero-day vulnerability in its “graphapi” app announced last week, after observing mass exploitation by threat actors.
Security vendor GreyNoise raised the alarm after file server and collaboration platform ownCloud revealed the CVSS 10.0-rated vulnerability on November 21.
“The ‘graphapi’ app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo),” ownCloud said at the time.
“This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key.”
In short, exploitation could allow malicious actors to take full administrative control of servers running ownCloud.
GreyNoise said that threat actors began exploiting the vulnerability en masse as early as November 25.
“Disabling the app does not entirely resolve the issue, and even non-containerized ownCloud instances are at risk. Docker containers before February 2023 are not affected,” it explained.
Customers are urged to take the mitigation measures suggested by ownCloud: delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php.
The company also advised customers to change their ownCloud admin password, mail server credentials, database credentials and object-Store/S3 access-key.
“This one is concerning because ownCloud is the type of software that home users and small businesses tend to set up and then forget,” explained Bugcrowd founder, Casey Ellis.
“The combination of the impact of this vulnerability and the type of personal/valuable data stored in ownCloud instances provides a wide variety of options for attackers looking to exploit it. I’d be very surprised if we don’t start hearing about ransomed ownCloud instances in the coming days.”
As if that weren’t enough, ownCloud also revealed two additional critical vulnerabilities: an authentication bypass flaw, CVE-2023-49105, that has a CVSS score of 9.8 and a subdomain validation bypass flaw, CVE-2023-49104, which has a score of 8.7.