Dive Brief:

• Threat actors are exploiting a critical vulnerability in the open source file-transfer service ownCloud that could reveal sensitive data, including admin passwords, mail server credentials and license keys, according to threat researchers. OwnCloud disclosed the vulnerability, CVE-2023-49103, Nov. 21 with a base CVSS rating of 10 out of 10.
• The vulnerability was discovered by an external threat researcher in mid-September, patched by the company on Sept. 19 and customers were notified Sept. 20, a company spokesperson said Friday via email. “To our current knowledge, none of our customers were affected since we closed the security gap, updated our software and advised our customers how to secure their systems before the CVE was made public,” the spokesperson said. “No exploits are known at this time.”
• Researchers contradict that assertion, noting threat actors started exploiting ownCloud instances on Nov. 25 and attempted exploits were observed as recently as Friday, according to data from Greynoise and the SANS Internet Storm Center. More than 11,000 ownCloud instances were exposed to the internet as of Monday, according to the Shadowserver Foundation.

Dive Insight:

The targeted attacks follow a concentrated and sustained period of malicious activity against file-transfer services. Progress Software’s MOVEit, Fortra’s GoAnywhere and IBM Aspera Faspex were hit by supply-chain attacks over a three-month span starting in March this year.

The ownCloud CVE impacts the Graph API app by exposing PHP environment configuration details. The vendor also disclosed an additional pair of CVEs, including a critical authentication bypass vulnerability and a subdomain validation bypass vulnerability.

The trio of vulnerabilities were disclosed the same day Kiteworks announced an agreement to merge with the Germany-based ownCloud and Dracoon, another file-sharing service for enterprises.

California-based Kiteworks said more than 3,800 global enterprises and government agencies use its content security and compliance platform. The concurrent mergers open new markets and customer bases for the company in German-speaking regions of Europe.

The critical vulnerability in ownCloud’s Graph API can expose “potentially sensitive configuration details that could be exploited by an attacker to gather information about the system,” ownCloud said.

Disabling the Graph API app does not eliminate the vulnerability. Users should change admin passwords, access keys, admin credentials and mail server credentials to mitigate the risk, ownCloud said.

The company said it disabled the “phpinfo” function in containers and plans to apply other fixes in future releases.

More than 600 enterprises and organizations use ownCloud, including European Investment Bank, European Commission, Wind River, the European Organization for Nuclear Research (CERN), Banco de Portugal and multiple Fortune 500 companies, the company said.

The Cybersecurity and Infrastructure Security Agency included the trio of ownCloud CVEs in its weekly vulnerability roundup on Monday.