最后更新于2023年12月1日(星期五)22:11:26 GMT

Rapid7正在响应CVE-2023-49103, 影响ownCloud的未经认证的信息泄露漏洞.

Background

ownCloud 文件共享平台是为企业环境设计的吗. On November 21, 2023, ownCloud disclosed CVE-2023-49103, 影响ownCloud的未经认证的信息泄露漏洞, 当一个脆弱的扩展称为“图形API”(graphapi)存在时. 如果ownCloud已经通过Docker部署, from February 2023 onwards, 默认情况下存在这个易受攻击的graphpi组件. If ownCloud has been installed manually, the graphapi component is not present by default.

通过Shodan搜索ownCloud显示至少有 12,320 instances on the internet (as of Dec 1, 2023). 目前尚不清楚其中有多少是脆弱的.

File transfer and sharing platforms have come under attack from ransomware groups in the past, 这是一个特别值得关注的目标, as ownCloud也是一个文件共享平台. On November 30, 2023, CISA将CVE-2023-49103添加到其已知可利用漏洞(KEV)列表中, 表明威胁行为者已经开始在野外利用这一漏洞. Rapid7 Labs has observed exploit attempts against at least three customer environments as of writing this blog.

The vulnerability allows an unauthenticated attacker to leak sensitive information via the output of the PHP function “phpinfo”, when targeting the URI endpoint “/应用程序/ graphapi /供应商/微软/ microsoft-graph /测试/ GetPhpInfo.php”. 该输出将包括可能包含秘密的环境变量, 例如提供给ownCloud系统的用户名或密码. Specifically, 当ownCloud通过Docker部署时, 通过环境变量传递秘密是一种常见的做法.

While it was initially thought that Docker installations of ownCloud were not exploitable, Rapid7的研究人员现已证实(截至11月30日), 2023) that it 是否有可能利用易受攻击的基于docker的ownCloud安装, by modifying the requested URI such that it can bypass the existing Apache web server’s rewrite rules, 允许成功到达目标URI端点.

Previously, it was thought any attempt to exploit a vulnerable Docker-based installation of ownCloud would fail with a HTTP 302 redirect, however using this new technique, it is possible to successfully exploit vulnerable Docker-based installations of ownCloud. Docker通过环境变量传递机密, this allows an attacker to leak secrets such as the OWNCLOUD_ADMIN_USERNAME and OWNCLOUD_ADMIN_PASSWORD environment variables, 其中包含admin用户的用户名和密码, allowing an attacker to login to the affected ownCloud system with administrator privileges.

Timeline of events:

Affected Products

Please note: Information on affected versions or requirements for exploitability may change as we learn more about the threat.

受影响的产品是ownCloud Graph API扩展,特别是版本0.2.x before 0.2.1 and 0.3.x before 0.3.1. CVE-2023-49103已在版本0中修复.3.1 and 0.2.2023年9月1日发布.

您可以在供应商页面上找到更多详细信息: http://marketplace.owncloud.com/apps/graphapi

Mitigation guidance

修复CVE-2023-49103漏洞 graphapi component should be updated to 0.3.1 as per the vendor advisory. 如果下面的文件出现在ownCloud安装中,应该删除它:

/ owncloud /应用程序/ graphapi /供应商/微软/ microsoft-graph /测试/ GetPhpInfo.php

An ownCloud installation may be further hardened by adding the PHP function "phpinfo" to the PHP disabled functions list, 在适当的PHP ini配置文件中. Since disclosing CVE-2023-49103, ownCloud have added this hardening feature to several recent versions of their official Docker container images. Docker containers that were built from Docker images released prior to this addition will not have the updated hardening applied unless their images are rebuilt.

强烈建议将ownCloud更新到至少版本10.13.1, as this resolves CVE-2023-49103 when the graphapi is shipped as part of the complete bundle with ownCloud. Version 10.13.1还解决了另外两个漏洞:

  • CVE-2023-49104: oauth2组件中的子域验证绕过
  • CVE-2023-49105: WebDAV API认证绕过.

这三个漏洞都是由ownCloud在2023年11月21日披露的.

Indicators of Compromise

An indicator of compromise for CVE-2023-49103 will be the presence of an HTTP GET request to a URI path containing the following in the Apache server’s access logs:

/应用程序/ graphapi /供应商/微软/ microsoft-graph /测试/ GetPhpInfo.php

成功的请求将收到HTTP 200响应. For example, a successful exploitation attempt against a vulnerable Docker-based installation of ownCloud will have a log file entry that looks like this (scroll all the way to the right in the box):

192.168.86.34 - - [01/Dec/2023:09:32:57 +0000] "GET /应用程序/ graphapi /供应商/微软/ microsoft-graph /测试/ GetPhpInfo.php/.css HTTP/1.1" 200 30939 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"

在利用基于docker的安装时, 攻击者必须在目标URI路径上附加一个额外的路径段, such as `/.css`, in order to bypass the Apache rewrite rules and allow the target endpoint to be successfully reached. Due to how the .htaccess file in ownCloud specifies multiple potential file extensions which bypass the rewrite rules, 攻击者可以使用的附加路径段可能是几个值中的一个, as listed below:

/.css
/.js
/.svg
/.gif
/.png
/.html
/.ttf
/.woff
/.ico
/.jpg
/.jpeg
/.json
/.properties
/.min.map
/.js.map
/.auto.map

If a vulnerable ownCloud server has added the PHP function `phpinfo` to its disabled functions list, 不会向攻击者返回任何内容, HTTP响应的Content-Length为0.

A failed exploitation attempt will see an HTTP response containing a 404 or 302 response code.

Rapid7 Labs has a Sigma rule available to help organizations identify possible exploitation activity related to this vulnerability link: http://github.com/rapid7/Rapid7-Labs/tree/main/Sigma

Rapid7 Customers

InsightVM and Nexpose customers can assess their exposure to CVE-2023-49103 with an authenticated check for unix systems, 定于今天(12月1日)发布内容.

请注意:紧急威胁发展迅速. 随着我们对这个漏洞的了解越来越多,这篇博客文章也将继续发展. 这一页将作为我们调查结果的基础, product coverage, and other important information that can assist you in mitigating and remediating this threat.

Our aim is to provide you with as much of this information as we can confidently verify, as early as possible, with the understanding that it will take some time for the full picture to emerge. We will update this blog post in real time as we learn more details about this vulnerability and perform an in-depth technical analysis of the attack vector.