Friday, February 14, 2025

WATCH OUT! If you use ThinkPHP and ownCloud Vulnerabilities is being Exploited in the wild...

Security teams must remain proactive, not just against novel attacks, but also against the resurgence of older vulnerabilities. Recent threat intelligence indicates a significant uptick in malicious actors targeting systems still vulnerable to security flaws from 2022 and 2023. Specifically, GreyNoise, a leading threat monitoring platform, has reported a surge in exploitation attempts targeting CVE-2022-47945 and CVE-2023-49103. These critical vulnerabilities affect ThinkPHP Framework and ownCloud, the popular open-source file sharing and synchronization solution.

Critical Vulnerabilities Under Active Exploitation

Both CVE-2022-47945 and CVE-2023-49103 are classified as critical severity issues. Successful exploitation can grant attackers the ability to execute arbitrary operating system commands or exfiltrate sensitive data. This includes potentially compromising administrative passwords, mail server credentials, and license keys – effectively handing over the keys to your digital kingdom.

CVE-2022-47945: ThinkPHP Framework Local File Inclusion

The first vulnerability, CVE-2022-47945, is a Local File Inclusion (LFI) flaw residing in the language parameter of ThinkPHP Framework versions prior to 6.0.14. If the language pack feature is enabled – a common configuration – unauthenticated remote attackers can exploit this vulnerability to execute arbitrary operating system commands. This means attackers can gain complete control over vulnerable servers simply by sending specially crafted requests.

Akamai's research from last summer revealed that Chinese threat actors had already begun leveraging this flaw in targeted operations as early as October 2023. Alarmingly, GreyNoise data now shows that CVE-2022-47945 is experiencing high-volume exploitation, with attacks originating from an expanding pool of source IP addresses.

According to GreyNoise, they have observed 572 unique IPs actively attempting to exploit this vulnerability, with a clear upward trend in recent days. This is particularly concerning given the vulnerability's relatively low Exploit Prediction Scoring System (EPSS) rating of 7% and its absence from CISA's Known Exploited Vulnerabilities (KEV) catalog. This highlights a crucial point: even vulnerabilities deemed less critical can become attractive targets for widespread exploitation.

![Daily exploitation activity Source: Greynoise](Daily exploitation activity)

CVE-2023-49103: ownCloud Information Disclosure

The second vulnerability, CVE-2023-49103, impacts ownCloud, a widely adopted open-source file-sharing software. This flaw stems from ownCloud's dependency on a third-party library that inadvertently exposes PHP environment details through a publicly accessible URL.

Disclosed by developers in November 2023, CVE-2023-49103 was rapidly weaponized. Hackers began exploiting it to pilfer sensitive information from vulnerable, unpatched ownCloud instances. The severity of this vulnerability was further underscored when the FBI, CISA, and NSA listed CVE-2023-49103 among the top 15 most exploited vulnerabilities of 2023.

Despite vendor patches being available for over two years, numerous ownCloud deployments remain unpatched and vulnerable. GreyNoise has detected a recent surge in CVE-2023-49103 exploitation, with malicious activity originating from 484 unique IPs.

![IPs targeting ownCloud daily Source: Greynoise](IPs targeting ownCloud daily)

DevOps Action Plan: Secure Your Systems Now

These resurgent attacks serve as a stark reminder for DevOps and security teams: patching is not a one-time task, but a continuous process. Neglecting to apply security updates, even for older vulnerabilities, can leave your infrastructure exposed to significant risk.

To effectively mitigate these threats and bolster your overall security posture, implement the following DevOps best practices:

  • Immediate Patching: Upgrade your ThinkPHP Framework installations to version 6.0.14 or later. For ownCloud, ensure you are running GraphAPI version 0.3.1 or newer. Prioritize these updates in your patching schedule.
  • Proactive Vulnerability Management: Implement a robust vulnerability management program that includes regular vulnerability scanning, timely patching, and continuous monitoring.
  • Threat Intelligence Integration: Leverage threat intelligence feeds, like GreyNoise, to stay informed about emerging threats and prioritize remediation efforts based on real-world exploitation data.
  • Network Segmentation and Firewalls: For systems that cannot be immediately patched, consider taking them offline or placing them behind a firewall to significantly reduce their attack surface and limit potential damage.
  • Regular Security Audits: Conduct periodic security audits to identify and address any unpatched vulnerabilities or misconfigurations within your infrastructure.

Conclusion

The ongoing exploitation of CVE-2022-47945 and CVE-2023-49103 underscores the critical importance of proactive security measures. In the ever-evolving threat landscape, complacency is not an option. By prioritizing timely patching, robust vulnerability management, and continuous threat monitoring, DevOps teams can effectively safeguard their systems and prevent falling victim to both new and resurgent cyberattacks. Don't let old flaws become your organization's Achilles' heel. Take action today to secure your systems.

0 comments:

Post a Comment