Hello and welcome to the Tuesday, November 28, 2023 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

One issue I probably should have covered yesterday, but while I sort of ran out of time, is three vulnerabilities in OnCloud.

OwnCloud is an open source file sharing system. It does have sort of a commercial component

to it. And OnCloud did on November 21st, so just last week, release an update that fixes three critical vulnerabilities, one of which

we already see being exploited in our sensors.

The one that's already exploited is also the one that's the most severe of the vulnerabilities.

That's CVE 2023-49-3. CVSS score of 10 and it does, yes, allow

arbitrary code execution as administrator appears to be most critical or most severe if the

own cloud install is running inside a container.

The problem here is that the Graph API library that is installed with OnGlaude does provide some

test scripts that remained on the system, and one of them gets you access to PHP info.

If you're familiar with PHP, PHP info is often used for debugging.

It's a command that sort of dumps the entire system configuration, including in this case

usernames and passwords for administrator,

also things like API keys,

in particular if you're connecting to something like S3 with OnCloud

and the mail server credentials and the like.

The second vulnerability CVE 20203-49105

does allow the arbitrary modification and deletion of files if any of your users

has no signing key configured.

And that's the default if you just set up a new user.

...