Cloud Security, Threat Management

CISA: Critical SharePoint bug actively exploited

CISA flags active exploitation of critical SharePoint bug

A critical Microsoft SharePoint server bug that can form part of a remote code execution (RCE) exploit chain has been added to the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities (KEV) Catalog.

The bug, tracked as CVE-2023-29357, is an elevation of privilege vulnerability with a CVSS v3 score of 9.8. It was patched by Microsoft in June last year.

The flaw allows attackers to use spoofed JSON web tokens (JWTs) to gain Administrator privileges on the SharePoint host.

“An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user,” Microsoft said.

“The attacker needs no privileges nor does the user need to perform any action.”

While CISA’s decision to add the bug to the KEV Catalog is based on “evidence of active exploitation,” the agency did not elaborate on what that evidence was.

Star Labs researcher Nguyễn Tiến Giang (Jang) last year demonstrated and described how the bug could be chained with a second exploit, CVE-2023-24955 (CVSS 7.2), to achieve RCE.

Last September another researcher, Valentin Lobstein, published on GitHub a proof of concept (PoC) exploit for CVE-2023-29357.

“While this [PoC] script focuses on elevation of privilege, attackers with malicious intent might chain this vulnerability with a Remote Code Execution (RCE) vulnerability (CVE-2023-24955) to compromise the integrity, availability, and confidentiality of the target system,” Lobstein said.

“The script outputs details of admin users with elevated privileges and can operate in both single and mass exploit modes. However, to maintain an ethical stance, this script does not contain functionalities to perform RCE and is meant solely for educational purposes and lawful and authorized testing.”

Security researcher Kevin Beaumont warned organizations last year to patch CVE-2023-29357 and CVE-2023-24955 because of the risk ransomware groups could mount attacks using the chained exploits.

After CVE-2023-29357 was added to the KEV Catalog last week, Beaumont said on Mastodon: “I am aware of one ransomware group that finally has a working exploit for this.”

Now that the bug has been added to the catalog, all U.S. Federal Civilian Executive Branch government agencies have until Jan. 31 to apply the patch to any affected systems.

CVE-2023-24955 has not been added to the KEV Catalog.

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Related

LockBit-leaked DC city agency data from third party

Washington, D.C.'s Department of Insurance, Securities and Banking has disclosed that 800GB of data claimed to have been stolen by the LockBit ransomware operation was obtained from an attack against third-party software provider Tyler Technologies following the ransomware gang's threats to expose 1GB of the exfiltrated data to coerce the agency into providing the demanded ransom, reports The Record, a news site by cybersecurity firm Recorded Future.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.