Vulnerabilities in Microsoft SharePoint Server Expose Critical Security Risks
Introduction
Researchers have recently uncovered two critical vulnerabilities in Microsoft SharePoint Server, one of which has the potential for remote code execution (RCE), while the other allows an attacker to gain administrator privileges. The severity of these vulnerabilities, the potential for exploitation, and the large number of internet-exposed SharePoint servers make this an issue of great concern to organizations. This report will analyze the two vulnerabilities and their potential impact, discuss the exploit chain developed by researchers, and provide recommendations for securing SharePoint servers.
Vulnerability Details
The first vulnerability, tracked as CVE-2023-29357, is an elevation of privilege flaw in SharePoint Server 2019. Microsoft has already issued a patch for this vulnerability in their June security update. Exploiting this flaw, an unauthenticated attacker can bypass authentication checks by using a spoofed JSON Web Token (JWT) and gain administrative privileges on an affected SharePoint server. No user interaction or pre-existing privileges are required to exploit this vulnerability.
The second vulnerability, identified as CVE-2023-24955, is an RCE vulnerability that Microsoft patched in May. It affects SharePoint Server 2019, SharePoint Server 2016, and SharePoint Server Subscription Edition. This vulnerability enables remote attackers to execute arbitrary code on the vulnerable servers. Microsoft has rated both vulnerabilities as critical and warns that threat actors are likely to exploit them in the coming months.
According to the National Vulnerability Database (NVD) maintained by the National Institute of Standards and Technology (NIST), CVE-2023-29357 has a severity rating of 9.8, while the RCE vulnerability (CVE-2023-24955) has a rating of 7.3. The scanning platform Censys has identified over 100,000 internet-exposed SharePoint servers that could potentially be affected by these vulnerabilities.
The Exploit Chain
Researchers from StarLabs in Singapore reported both vulnerabilities to Microsoft and have released details of an exploit chain they developed that takes advantage of these vulnerabilities to gain pre-authentication RCE on affected systems. They demonstrated the exploit at the Pwn2own Vancouver conference in March and provided a technical paper describing their approach.
To exploit the vulnerabilities, the researchers first spoofed a valid JWT token using the “None” signing algorithm, effectively impersonating a user with administrative privileges in a SharePoint Server 2019 instance. The “None” signing algorithm means the JWT token is digitally unsigned and can be modified without detection. The researchers then used the obtained administrative privileges to inject arbitrary code via the CVE-2023-24955 vulnerability, achieving remote code execution on the target SharePoint server.
In addition to the researchers at StarLabs, another independent security researcher, Valentin Lobstein, a cybersecurity student at Oteria Cyber School in France, posted a proof-of-concept (PoC) code on GitHub that showcases how an attacker could gain admin privileges on unpatched SharePoint Server 2019 systems via CVE-2023-29357. While Lobstein’s PoC focuses on privilege escalation, it can be easily combined with the CVE-2023-24955 vulnerability to compromise the confidentiality, integrity, and availability of an affected SharePoint server.
Potential Impact and Recommendations
The successful exploitation of these vulnerabilities can have severe consequences. A malicious attacker with administrative privileges could delete or corrupt organizational data, exfiltrate sensitive information, or disrupt SharePoint environments by altering user and group permissions. Immediate action is crucial for organizations running SharePoint Server, particularly version 2019.
Microsoft has recommended enabling the Anti-Malware Scan Interface (AMSI) integration feature on SharePoint and utilizing Microsoft Defender as a protective measure against CVE-2023-29357. It is essential to apply the June security update and ensure all patches are up to date. Regularly monitoring the security advisories from Microsoft and promptly applying patches is crucial to mitigate potential risks.
In addition to patching, organizations should implement network segmentation and access controls to limit the exposure of SharePoint servers. Employing multi-factor authentication (MFA) and strong passwords is also recommended to reduce the risk of unauthorized access. Regular vulnerability scans and security assessments can help identify potential weaknesses and ensure a proactive approach to safeguarding information systems.
In Conclusion
The discovery of critical vulnerabilities in Microsoft SharePoint Server poses a significant threat to organizations that rely on this platform for collaboration and document management. The exploit chain demonstrated by researchers and the public availability of PoC codes increase the urgency for organizations to take immediate action. By promptly patching vulnerabilities, implementing robust security measures, and staying informed on emerging threats, organizations can effectively protect their SharePoint environments and mitigate potential risks.
<< photo by Michael Dziedzic >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- The Alarming Exposure: Millions of Files Unveiling Potentially Sensitive Information
- The Risks Outweigh the Rewards: New York Prohibits Facial Recognition in Schools
- The Rising Threat: Red Cross-Themed Phishing Attacks Delivering DangerAds and AtlasAgent Backdoors
- Exploring the Implementation of Passkeys in Windows 11
- Exploring the Impact of Apple’s Zero-Day Vulnerabilities on Blastpass Exploit Chain
- Unraveling the Web: Deep Dive into Critical SAP Vulnerabilities and their Wormable Exploit Chain
- Exploit Chain in Netgear Routers Exposed: Implications and Security Concerns
- Exploring the Implications of the Resurfacing Microsoft Teams Hacks: Storm-0324 and the Rise of TeamsPhisher
- Hackers Target Telegram with DDoS Attack, Raising Concerns Over Cybersecurity
- Ivanti Takes Action to Address Critical Vulnerability in Sentry Gateway Technology
