Security researchers are warning of widespread exploitation of a critical vulnerability in ownCloud, a popular open-source file sharing and synchronization platform. The vulnerability, tracked as CVE-2023-49103, allows attackers to execute arbitrary code on affected servers, potentially gaining complete control over the system.
Key Highlights
- Hackers are actively exploiting a critical vulnerability in ownCloud, an open-source file sharing and synchronization platform.
- The flaw, tracked as CVE-2023-49103, allows attackers to execute arbitrary code on affected servers, potentially gaining complete control over the system.
- Organizations running ownCloud are strongly advised to apply the latest security patches immediately to mitigate the risk of exploitation.
ownCloud is widely used by organizations of all sizes to share and synchronize files internally and externally. The vulnerability affects ownCloud versions 10.8.0 and earlier, and ownCloud Infinite Scale versions 11.0.0 and earlier.
Threat tracking firms have observed a steady stream of exploitation attempts, indicating that hackers are actively targeting ownCloud servers. Greynoise has detected over 150 unique IP addresses attempting to exploit CVE-2023-49103, representing a significant escalation from the initial observations.
The sheer scale of exploitation across multiple geographic regions underscores the gravity of the vulnerability. Organizations worldwide are at risk, regardless of their size or industry.
Exploitation in the Wild and Rising Trajectory
Threat tracking firm Greynoise has observed mass exploitation of the flaw in the wild starting on November 25, 2023, with a rising trajectory. Greynoise has tracked 12 unique IP addresses exploiting CVE-2023-49103. Another threat tracking firm, Shadowserver, has also confirmed the widespread exploitation of the vulnerability, noting that it has detected over 11,000 exposed ownCloud instances, with the majority located in Germany, the United States, France, and Russia.
Mitigating the Risk of Exploitation
Organizations running ownCloud are strongly advised to apply the latest security patches immediately to mitigate the risk of exploitation. The patches for CVE-2023-49103 are available for ownCloud versions 10.8.1 and 11.0.1, as well as ownCloud Infinite Scale versions 11.0.1 and 11.1.0.
In addition to patching, organizations should also consider implementing the following mitigation measures:
- Disabling the “Allow Subdomains” option in the OAuth2 app.
- Removing the “phpinfo()” function from Docker containers.
- Changing potentially exposed secrets, such as the ownCloud admin password, mail server credentials, database credentials, and Object-Store/S3 access keys.
The CVE-2023-49103 vulnerability in ownCloud poses a significant risk to organizations that run the platform. Attackers are actively exploiting the flaw, and organizations should take immediate action to patch their systems and implement additional mitigation measures to protect their data and infrastructure.
