CVE-2023-49103 Detection: A Critical Vulnerability in OwnCloud’s Graph API App Leveraged for in-the-Wild Attacks
- Forest Blizzard aka Fancy Bear Attack Detection: russian-backed Hackers Apply a Custom GooseEgg Tool to Exploit CVE-2022-38028 in Attacks Against Ukraine, Western Europe, and North America - 24.04.2024
- UAC-0133 (Sandworm) Attack Detection: russia-Linked Hackers Aim to Cripple the Information and Communication Systems of 20 Critical Infrastructure Organizations Across Ukraine - 23.04.2024
- Akira Ransomware Detection: Joint Cybersecurity Advisory (CSA) AA24-109A Highlights Attacks Targeting Businesses and Critical Infrastructure in North America, Europe, and Australia - 19.04.2024
Table of contents:
Hot on the heels of the Zimbra zero-day vulnerability, another critical security flaw affecting popular software comes to the scene. The open-source file-sharing software ownCloud has recently disclosed a trio of disturbing security holes in its products. Among them, the max severity vulnerability tracked as CVE-2023-49103 gained the CVSS score of 10 due to the ease of its exploitation, enabling adversaries to access user login details and collect sensitive data. The mass exploitation of CVE-2023-49103 in real-world intrusions requires ultra-responsiveness from defenders to help organizations promptly respond to the threat.
Detect CVE-2023-49103 Exploitation Attempts
Critical vulnerabilities in open-source software products pose a significant menace to cyber defenders due to the broad geography of potential victims and the high possibility of mass exploitation in the wild. To act faster than threat actors and defend proactively, security professionals require a reliable source of detection content and advanced threat detection tools. To identify possible attacks leveraging CVE-2023-49103 exploits, SOC Prime Platform offers a curated detection rule by our keen Threat Bounty developer Wirapong Petshagun.
This Sigma rule detects a potential exploitation attempt targeting The Graph API App of ownCloud bug (CVE-2023-49103). The detection is mapped to MITRE ATT&CKĀ® addressing the Initial Access tactic with the Exploit Public-Facing Application (T1190) technique. Automatically convert detection code to dozens of SIEM, EDR, XDR, and Data Lake solutions and explore relevant CTI for streamlined threat research.
To view the full list of detection rules addressing the exploitation of emerging and critical vulnerabilities, hit the Explore Detections button below. All rules are accompanied by detailed metadata, including CTI links, ATT&CK mapping, triage recommendations, and more.Ā
Enthusiastic to join the collective cyber defense and obtain financial benefits for your contribution? Register to SOC Prime Threat Bounty program for cyber defenders, contribute your own detection rules, code your future CV, network with industry experts, and receive payouts for your input.
CVE-2023-49103 Analysis
A critical vulnerability in ownCloud, a widely-used business tool for enterprise-grade file sync and sharing, identified as CVE-2023-49103 is being massively leveraged by hackers in ongoing attacks. Successful exploitation attempts enable attackers to steal sensitive info, such as admin and mail server credentials, or license keys, exposing global organizations to data breach risks.Ā
OwnCloud recently issued a public notice, revealing a maximum severe vulnerability rated with a top CVSS score of 10. CVE-2023-49103 impacts OwnCloudās Graph API app versions 0.2.0 through 0.3.0. The app’s dependency on an external library gives attackers the green light to manipulate the API-provided URL.Ā
GreyNoise team provided in-depth research into the CVE-2023-49103 exploit details based on the observed in-the-wild attacks weaponizing the flaw in the third decade of November.Ā Ā
Apart from CVE-2023-49103, OwnCloud also reported two other critical security flaws in its software ā CVE-2023-49105, an authentication bypass in the WebDAV API with a CVSS score of 9.8, and CVE-2023-49104, a subdomain validation bypass vulnerability earning a lower CVSS rating of 8.7.
OwnCloud stresses that simply removing the Graph API app cannot resolve all the issues. As recommended CVE-2023-49103 mitigation measures, defenders suggest removing the file āowncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php,ā deactivating the āphpinfoā function in Docker containers, and fully updating potentially compromised credentials. The ownCloud admins are strongly recommended to instantly apply the suggested fixes and library updates to remediate the risks.
All three above-mentioned vulnerabilities can potentially expose organizations to data breaches and phishing attacks while posing threats to the system integrity.
The increasing volumes of disclosed vulnerabilities impacting popular software products encourage organizations to continuously strengthen their cyber defense capabilities. Rely on the Threat Detection Marketplace to reach the latest detection algorithms against CVEs, zero-days, and emerging threats of any scale and seamlessly implement the proactive cybersecurity strategy into your organizationās procedures.
