Owncloud gets Owned

[phaZed]

ownCloud vulnerability with maximum 10 severity score comes under “mass” exploitation

Easy-to-exploit flaw gives hackers passwords and cryptographic keys to vulnerable servers.

arstechnica.com

"The vulnerability, which carries the maximum severity rating of 10, makes it possible to obtain passwords and cryptographic keys allowing administrative control of a vulnerable server by sending a simple Web request to a static URL"

Ouch.

 

[britechguy]

There is something to be said for "security by obscurity" (that is: lack of immediate public disclosure) when a vulnerability like this is found until a patch has been issued.

Yelling, "Yoo Hoo!!, the door's wide open!," to the world, most of which had no idea otherwise, before patching is just asking for trouble.

 

[YeOldeStonecat]

There is something to be said for "security by obscurity" (that is: lack of immediate public disclosure) when a vulnerability like this is found until a patch has been issued.

Yelling, "Yoo Hoo!!, the door's wide open!," to the world, most of which had no idea otherwise, before patching is just asking for trouble.

It is ones natural instinct, or nature, to think that. But honestly....news of exploits spreads faster than wildfire...the "underground hackers" social media was fully aware of this way before the writer of the above linked article from arstechnica started typing up the first sentence of the article.
Also, any hosted ownEDCloud server (heh..get it...ownED cloud..lol..I made a funny) are instantly found by fingerprint tools. The hackers have these fingerprint tools which scour the internet very quickly...and find that you tell them to look for. Refer to the linked article..."a recent scan revealed more than 11,000 IP addresses hosting ownCloud servers, led by addresses in Germany, the US, France, Russia, and Poland".

OwnCloud was pretty cool, we used the Datto version of it back in the day for a few clients, and ourselves. One often thinks that an open sourced product is a bit more...less likely to have major exploits like this, due to the nature of being open source...with community looking at the code and pitching in.

 

[britechguy]

news of exploits spreads faster than wildfire...the "underground hackers" social media was fully aware of this way before the writer of the above linked article from arstechnica started typing up the first sentence of the article.

I have no doubt you're correct, but that still keeps the news away from "script kiddies" that play with this stuff for amusement.

True nefarious actors tend to find this stuff first, but not always. But keeping this information from spreading far and wide to those who would "try just for the heck of it" and possibly wreak havoc when doing so has at least some marginal value.

I have never felt that transparency regarding unpatched vulnerabilities is a good thing. At least if there's nothing the general public can actually do to remedy the situation. If they can, that's a different situation altogether. There's plenty enough that circulates among the community that actually needs to know and needs to fix, and the more it stays there, the better, in general.

 

[phaZed]

The problem here seems to be with a 3rd party library, graphapi.

Simply by referencing owncloudserver.wut/GetPhpInfo.php - it will dump a full list of the all webserver environment variables including admin passwords, mail server credentials, and license keys.

So, reviewing the Owncloud source code wouldn't necessarily expose the problem as it is rooted in the Graph Library.

 

[Sky-Knight]

OwnCloud was pretty cool, we used the Datto version of it back in the day for a few clients, and ourselves. One often thinks that an open sourced product is a bit more...less likely to have major exploits like this, due to the nature of being open source...with community looking at the code and pitching in.

Usually OSS projects do get better with time due to the number of people involved. The problem? ownCloud is NOT open source. It's open-core, with closed addons. Untangle did a similar model. The FOSS people that made ownCloud forked it when ownCloud went corporate and created Nextcloud, which remains a complete FOSS solution.

Nextcloud has CVEs listed similar to this one, which indicates the fault has been in the product for a very long time.

Doesn't really matter, all software is imperfect what matters is how quickly an organization can get things fixed once things are known. FOSS projects typically have the lead on security patches in terms of time scales, but they also tend to take a bit of a hit in the quality of those fixes. But then the quality improves faster with a more aggressive release schedule...

I like FOSS more than closed source mostly because if I have to, I can get involved. Any organization that relies on a given bit of open code can submit fixes for it. There are times when that ability to invest is critical.