CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability: Patch Immediately
- March 19, 2024
- 9:49 am
CISA Warns of Widespread Threat: Patch Now
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding a widely exploited vulnerability affecting Microsoft SharePoint Server. This vulnerability tracked as CVE-2023-29357, carries a CVSS score of 9.8, indicating its severe potential impact.
What is Vulnerability?
CVE-2023-29357 is a privilege escalation vulnerability. This means an attacker could exploit this flaw to gain elevated privileges on a vulnerable SharePoint server. With these elevated privileges, an attacker could potentially:
- Take control of the server and its data.
- Install malware or other malicious software.
- Disrupt or disable critical business operations.
How is the Vulnerability Exploited?
The vulnerability allows attackers to bypass authentication mechanisms on SharePoint servers, essentially allowing them to masquerade as legitimate users with elevated privileges. This can be achieved by exploiting spoofed JSON Web Token (JWT) authentication tokens.
Microsoft has explained that attackers do not require any prior access to the server or any user interaction to exploit this vulnerability. This significantly increases the potential risk of widespread exploitation.
Why is This Urgent?
This vulnerability’s critical nature is further amplified by its active exploitation in the wild, according to CISA. This means that attackers are already using this flaw to compromise vulnerable SharePoint servers.
Security researcher Nguyễn Tiến Giang (Jang) of Star Labs SG successfully demonstrated an exploit for this vulnerability at the Pwn2Own Vancouver hacking contest in 2023, highlighting its potential for real-world attacks
What Should You Do?
Microsoft released patches to address this vulnerability as part of its June 2023 Patch Tuesday updates. All organizations using Microsoft SharePoint Server must apply these patches immediately to mitigate the risk of exploitation.
Additionally, organizations should: :
- Scan their systems to identify any unpatched SharePoint servers.
- Implement additional security measures, such as multi-factor authentication (MFA), to further protect their environment.
- Stay informed about the latest cyber threats and vulnerabilities.
By taking these steps, organizations can significantly reduce their risk of being compromised by this critical vulnerability.
In the following sections, we will delve deeper into the technical details of the vulnerability, the patching process, and additional recommendations for securing your SharePoint environment.
Beyond Privilege Escalation: Understanding the Full Attack Chain
While CVE-2023-29357 is concerning on its own, it becomes even more critical when combined with another vulnerability.
Exploit Chain Revealed:
Researchers discovered that CVE-2023-29357 can be combined with another vulnerability, CVE-2023-24955, to create a more powerful attack chain. This second vulnerability, patched by Microsoft in May 2023, allows for remote code execution (RCE), meaning an attacker could potentially take complete control of a vulnerable system.
Crafting the Chain:
Security researcher Nguyễn Tiến Giang (Jang) published a technical report in September 2023 detailing the creation of this exploit chain. He noted that the process of discovering and crafting this chain took nearly a year of dedicated effort.
Real-World Exploitation:
While the specifics of real-world exploitation and the identity of the attackers remain unknown, the potential threat is evident.
Urgency for Federal Agencies:
CISA has emphasized the urgency of patching for federal agencies, recommending they apply the patches by January 31, 2024. This underscores the seriousness of the combined exploit chain and the need for swift action.
Microsoft's Response:
Microsoft has confirmed that the patch for CVE-2023-29357 was released in June 2023. They encourage users who have enabled automatic updates and receive updates for other Microsoft products to be already protected.
Remember, patching is crucial to mitigate the risk of this complex attack chain. Stay vigilant and ensure your systems are up to date with the latest security fixes.
