In this week's Security Advisory:
- Three Vulnerabilities Found in ownCloud Could Lead to Information Disclosure
- Zero-Day Found in Google Chrome Desktop Browser
Three Vulnerabilities in ownCloud Could Lead to Information Disclosure
Three (3) vulnerabilities were found in ownCloud, an open-source file-sharing and collaboration software, that could lead to the disclosure of sensitive information. The most severe is being tracked as CVE-2023-49103 and has received a CVSS score of 10 out of 10, the highest score a vulnerability can receive. CVE-2023-49103 is due to a flaw in the graphapi app that could lead to the disclosure of sensitive information. The graphapi app depends on a third-party library that exposes PHP environment information (phpinfo) through a URL, revealing ownCloud admin passwords, mail server credentials, and license keys. The second vulnerability, CVE-2023-49105, is an authentication bypass vulnerability that allows an attacker to access, view, or delete files without any authentication. The third vulnerability, CVE-2023-49104, is a subdomain validation bypass that redirects callbacks to a domain controlled by the attacker. CVE-2023-49105 and CVE-2023-49104 received CVSS scores of 9.8 and 8.7 out of a possible 10, respectively.
The following versions are affected:
- graphapi versions 0.2.0 - 0.3.0
- core versions 10.6.0 - 10.13.0
- oauth2 prior to version 0.6.1
More Reading/Information
- https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/
- https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/
- https://owncloud.com/security-advisories/subdomain-validation-bypass/
- https://www.securityweek.com/critical-owncloud-flaws-lead-to-sensitive-information-disclosure-authentication-bypass/
- https://www.bleepingcomputer.com/news/security/hackers-start-exploiting-critical-owncloud-flaw-patch-now/
- https://nvd.nist.gov/vuln/detail/CVE-2023-49103
- https://nvd.nist.gov/vuln/detail/CVE-2023-49105
- https://nvd.nist.gov/vuln/detail/CVE-2023-49104
Zero-Day in Google Chrome Desktop Browser
Google released an emergency security update to fix multiple vulnerabilities, including a zero-day that is actively being exploited in the wild. The zero-day, CVE-2023-6345, is an integer overflow in Skia, an open source 2D graphics library. Successful exploitation of this vulnerability could lead to the threat actor executing arbitrary code on the victim's host or the user's browser crashing, leading to a denial-of-service attack.
- https://chromereleases.googleblog.com/2023/11/stable-channel-update-for-desktop_28.html
- https://www.helpnetsecurity.com/2023/11/29/cve-2023-6345/
- https://www.bleepingcomputer.com/news/security/google-chrome-emergency-update-fixes-6th-zero-day-exploited-in-2023/
- https://nvd.nist.gov/vuln/detail/CVE-2023-6345
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.
