CVE-2023-49105
📋 TL;DR
This vulnerability allows unauthenticated attackers to access, modify, or delete any file in ownCloud if they know a victim's username and that victim has no signing-key configured. It affects ownCloud core versions 10.6.0 through 10.13.0. The issue occurs because pre-signed URLs are accepted even without proper signing-key configuration.
💻 Affected Systems
- ownCloud core
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete data breach where attackers can exfiltrate, modify, or delete all files in the ownCloud instance, potentially leading to data loss, compliance violations, and business disruption.
Likely Case
Targeted attacks against specific users to access sensitive files, potentially leading to data theft or ransomware deployment.
If Mitigated
Limited impact if proper access controls, network segmentation, and monitoring are in place to detect unauthorized file access attempts.
🎯 Exploit Status
Exploitation is straightforward once an attacker discovers a valid username. The vulnerability is well-documented in public advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.13.1
Vendor Advisory: https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/
Restart Required: No
Instructions:
1. Backup your ownCloud instance and database. 2. Update ownCloud core to version 10.13.1 or later. 3. Verify the update was successful by checking the version. 4. Consider forcing all users to configure signing-keys.
🔧 Temporary Workarounds
Configure signing-keys for all users
allEnsure every user account has a signing-key configured, which prevents exploitation of this vulnerability.
# This requires administrative access to ownCloud
# Navigate to Admin -> Security settings
# Force signing-key configuration for all users
Restrict WebDAV access
allTemporarily disable or restrict WebDAV API access until patching can be completed.
# In ownCloud config/config.php
'webdav.enabled' => false
🧯 If You Can't Patch
- Implement strict network access controls to limit ownCloud access to trusted IP addresses only.
- Enable detailed logging and monitoring for file access patterns, particularly focusing on WebDAV API calls from unauthenticated sources.
🔍 How to Verify
Check if Vulnerable:
Check your ownCloud version. If it's between 10.6.0 and 10.13.0 inclusive, you are vulnerable. Also check if any users lack signing-key configuration.Check Version:
Check the version in ownCloud Admin -> Overview section, or examine config/config.php for version information.Verify Fix Applied:
Verify ownCloud version is 10.13.1 or later. Test that pre-signed URLs without proper signing-keys are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual WebDAV API access patterns
- File access from unauthenticated sources
- Multiple failed authentication attempts followed by successful file access
Network Indicators:
- WebDAV requests with pre-signed URLs from unexpected sources
- Unusual file download patterns
SIEM Query:
source="owncloud.log" AND ("WebDAV" OR "pre-signed") AND (status="200" OR status="201") AND user="-"