Three critical vulnerabilities in the ownCloud platform have been identified, one of which is being actively exploited. Urgent action is required to address the vulnerabilities to protect sensitive networks and sensitive data.

The ownCloud platform is used extensively in healthcare for storing, synchronizing, and sharing files and collaborating and consolidating work processes. As such, the platform is a prime target for malicious actors as it allows them to access highly sensitive data. The Clop hacking groups demonstrated how serious vulnerabilities in file sharing platforms can be, having mass exploited vulnerabilities in Fortra’s GoAnywhere MFT and Progress Software’s MOVEit Transfer solution earlier this year.

Security advisories were issued by ownCloud on November 21, 2023, about three vulnerabilities, the most serious of which has a maximum CVSS v3.1 severity score of 10. The remaining two vulnerabilities have been assigned CVSS scores of 9.8 and 9. Evidence of active exploitation of the flaws was identified by the cybersecurity firm Greynoise from November 25, 2023, with the malicious activity originating from 32 unique IP addresses.

• CVE-2023-49103 – A critical vulnerability in versions 0.2.0 – 0.3.0 of the graphapi app that allows disclosure of sensitive credentials and configuration in containerized deployments. The graphapi app relies on a third-party library that provides a URL. When the URL is accessed, it reveals the configuration details of the PHP environment, which includes environment variables for the webserver. In containerized deployments, the disclosed information can include the ownCloud admin password, mail server credentials, and license key. The vulnerability has a CVSS severity score of 10 out of 10.
• CVE-2023-49105 – A critical WebDAV API authentication bypass vulnerability using pre-signed URLs. The vulnerability affects core 10.6.0 – 10.13.0 and can be exploited to access, modify, or delete any file without authentication if the username of the victim is known and the victim has no signing-key configured, which is the default setting. The vulnerability has a CVSS severity score of 9.8 out of 10.
• CVE-2023-49104 – A critical subdomain validation bypass vulnerability in oauth2 < 0.6.1. An attacker can pass in a specially crafted redirect-URL that bypasses the validation code, allowing the attacker to redirect callbacks to a TLD controlled by the attacker. The vulnerability has a CVSS severity score of 9.0 out of 10.

The Health Sector Cybersecurity Coordination Center (HC3) issued a warning on December 5, 2023, urging HPH sector organizations to take immediate action and apply the actions recommended by ownCloud. “The nature of this platform is such that it needs to be integrated into the information infrastructure of a customer organization to function, which provides attackers with a target that can potentially provide access to sensitive information, as well as a staging point for further attacks,” explained HC3.

At present, only the CVE-2023-49103 is believed to have been actively exploited in attacks in the wild. This vulnerability should therefore be treated with the highest priority; however, the remaining vulnerabilities should also be addressed as soon as possible as exploitation is likely.

ownCloud notes that while the graphapi app can be disabled, that will not fully address the CVE-2023-49103 vulnerability. The owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php file should also be deleted and the phpinfo function should be disabled in Docker containers. Owncloud also recommends changing potentially exposed secrets such as the credentials for ownCloud administration, the mail server, the database, and the Object-Store/S3 access key. Owncloud’s mitigations for the vulnerabilities can be found on the following links:

• CVE-2023-49103 mitigations
• CVE-2023-49105 mitigations
• CVE-2023-49104 mitigations

The post Urgent Action Required to Address Critical ownCloud Vulnerabilities appeared first on HIPAA Journal.

Concern is growing as ransomware groups ramp up exploitation of a critical vulnerability in NetScaler ADS (formerly Citrix ADC) and NetScaler Gateway (Citrix Gateway) devices, dubbed Citrix Bleed.

Citrix issued a security advisory about the vulnerability on October 10, 2023, and issued a patch to correct the flaw, which can be exploited to bypass password protection and multifactor authentication. The buffer overflow vulnerability is tracked as CVE-2023-4966 and has a CVSS severity score of 9.4 out of 10. The vulnerability appears to have been exploited in the wild since August 2023. The vulnerability is easy to exploit and allows threat actors to take over legitimate user sessions. Once initial access has been gained, threat actors can elevate privileges, harvest credentials, move laterally, and access sensitive data and resources.

The vulnerability affects the following NetScaler ADC and Gateway versions:

• NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
• NetScaler ADC and NetScaler Gateway  13.1-49.15 and later releases of 13.1
• NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
• NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
• NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
• NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP
• NetScaler ADC and NetScaler Gateway version 12.1 are now End-of-Life (EOL). Customers still using these versions should upgrade their appliances to one of the supported versions.

On October 18, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerability Catalog, and a security advisory about the flaw was issued on November 21, 2023, as it became clear that the vulnerability was being exploited more widely, including by the LockBit 3.0 ransomware group in attacks on critical infrastructure.

On November 22, 2023, the Health Sector Cybersecurity Coordination Center (HC3) issued an urgent security advisory to the healthcare and public health (HPH) sector about the flaw along with a further advisory on November 30, 2023, urging healthcare organizations to patch the vulnerability as soon as possible to protect against exploitation. Applying the patch will prevent the vulnerability from being exploited; however, if it has already been exploited, the compromised sessions will remain active. Steps must therefore also be taken to ensure all active sessions are removed.

To remove active and persistent sessions after the patch has been applied, admins should run the following commands:

• kill aaa session -all
• kill icaconnection -all
• kill rdp connection -all
• kill pcoipConnection -all
• clear lb persistentSessions

Steps should also be taken to investigate potential exploits of the vulnerability. NetScaler has issued guidance for investigations and CISA has published Indicators of Compromise associated with LockBit 3.0 along with the tactics, techniques, and procedures (TTPs) used by the group and mitigation steps for defending against ransomware attacks.

The American Hospital Association has recently issued a security advisory urging hospitals to take immediate action to protect against exploitation of the Citrix Bleed vulnerability, given that hospitals are prime targets for ransomware groups. “This urgent warning by HC3 signifies the seriousness of the Citrix Bleed vulnerability and the urgent need to deploy the existing Citrix patches and upgrades to secure our systems,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “This situation also demonstrates the aggressiveness by which foreign ransomware gangs, primarily Russian-speaking groups, continue to target hospitals and health systems.  Ransomware attacks disrupt and delay health care delivery, placing patient lives in danger. We must remain vigilant and harden our cyber defenses, as there is no doubt that cyber criminals will continue to target the field, especially during the holiday season.”

The post Citrix Bleed Vulnerability Requires Urgent Action as Ransomware Groups Scale Up Attacks appeared first on HIPAA Journal.