===================================================================== CERT-Renater Note d'Information No. 2023/VULN481 _____________________________________________________________________ DATE : 27/11/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Owncloud core, Owncloud graphapi, Owncloud oauth2. ===================================================================== https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/ https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/ https://owncloud.com/security-advisories/subdomain-validation-bypass/ _____________________________________________________________________ WebDAV Api Authentication Bypass using Pre-Signed URLs Nov 21, 2023 Risk: high CVSS v3 Base Score: 9.8 CVSS v3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE ID: CWE-665 CWE Name: Improper Initialization Description It is possible to access, modify or delete any file without authentication if the username of the victim is known and the victim has no signing-key configured (which is the default). Affected core 10.6.0 – 10.13.0 Action taken Deny the use of pre-signed urls if no signing-key is configured for the owner of the files. _____________________________________________________________________ Disclosure of sensitive credentials and configuration in containerized deployments Nov 21, 2023 Risk: critical CVSS v3 Base Score: 10 CVSS v3 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CWE ID: CWE-200 CWE Name: Exposure of Sensitive Information to an Unauthorized Actor Description The “graphapi” app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. It’s important to emphasize that simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker-Containers from before February 2023 are not vulnerable to the credential disclosure. Affected graphapi 0.2.0 – 0.3.0 Action taken Delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. Additionally, we disabled the phpinfo function in our docker-containers. We will apply various hardenings in future core releases to mitigate similar vulnerabilities. We also advise to change the following secrets: – ownCloud admin password – Mail server credentials – Database credentials – Object-Store/S3 access-key _____________________________________________________________________ Subdomain Validation Bypass Nov 21, 2023 Risk: critical CVSS v3 Base Score: 9 CVSS v3 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N CWE ID: CWE-284 CWE Name: Improper Access Control Description Within the oauth2 app an attacker is able to pass in a specially crafted redirect-url which bypasses the validation code and thus allows the attacker to redirect callbacks to a TLD controlled by the attacker. Affected oauth2 < 0.6.1 Action taken Harden the validation code in the oauth2 app. As a workaround you can disable the “Allow Subdomains” option to disable the vulnerability ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================