A proof-of-concept exploit chain for two critical vulnerabilities in Microsoft SharePoint Server has been recently disclosed. These vulnerabilities, if exploited, could lead to unauthenticated remote code execution (RCE). This concerning development was detailed in a blog post by a STAR Labs researcher and demonstrated during the Zero Day Initiative’s Pwn2Own contest.
Detailed Analysis of the Vulnerabilities
The exploit chain combines two distinct vulnerabilities in Microsoft SharePoint Server:
- CVE-2023-29357: This is an elevation of privilege (EoP) vulnerability with a high CVSSv3 score of 9.8. It allows a remote, unauthenticated attacker to send a spoofed JSON Web Token (JWT) to the vulnerable server, thereby gaining the privileges of an authenticated user without the need for user interaction.
- CVE-2023-24955: Rated with a CVSSv3 score of 7.2, this remote code execution (RCE) vulnerability enables an authenticated Site Owner to execute arbitrary code on the affected SharePoint Server. The vulnerability is exploited by replacing the /BusinessDataMetadataCatalog/BDCMetadata.bdcm file, which compiles into an assembly executed by SharePoint.
Both vulnerabilities have been addressed in Microsoft’s Patch Tuesday releases, with CVE-2023-29357 patched in June 2023 and CVE-2023-24955 in May 2023.
Public Exploit Script and Its Implications
A public exploit script targeting CVE-2023-29357 has been released on GitHub, enabling attackers to escalate privileges on compromised SharePoint Server installations. By chaining this EoP vulnerability with the RCE vulnerability CVE-2023-24955, attackers can significantly compromise system confidentiality, integrity, and availability.
Affected Products
- CVE-2023-29357 impacts Microsoft SharePoint Server 2019.
- CVE-2023-24955 affects Microsoft SharePoint Server 2019, Microsoft SharePoint Enterprise Server 2016, and Microsoft SharePoint Server Subscription Edition.
Recommendations for Mitigation
- Install Security Updates: It is critical to install all related security updates for the affected software. Patches for CVE-2023-29357 and CVE-2023-24955 are available and should be applied immediately.
- Enable AMSI Integration: Microsoft recommends enabling AMSI (Antimalware Scan Interface) integration and using Microsoft Defender across SharePoint Server farms for additional protection.
- Follow Microsoft’s Guidance: A step-by-step guide for implementing AMSI with SharePoint Server is available in Microsoft’s official documentation.
Conclusion
The public availability of the exploit chain significantly increases the risk of these vulnerabilities being leveraged by malicious actors. It is imperative for organizations using Microsoft SharePoint Server to promptly apply the recommended patches and mitigations to prevent potential security breaches and data compromises.
The revelation of this exploit chain for Microsoft SharePoint Server vulnerabilities underscores the importance of timely patch management and proactive security measures in enterprise environments. Staying vigilant and updated on the latest cybersecurity threats and solutions is essential to safeguard sensitive information and maintain system integrity in the face of evolving cyber threats.
Also Read:
- Enhancing Node.js Application Security: Essential Best Practices
- Maximizing Node.js Efficiency with Clustering and Load Balancing
- Understanding Event Emitters in Node.js for Effective Event Handling
- Understanding Streams in Node.js for Efficient Data Handling
- Harnessing Environment Variables in Node.js for Secure Configurations