A critical Microsoft SharePoint server bug that can form part of a remote code execution (RCE) exploit chain has been added to the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities (KEV) Catalog.
The flaw allows attackers to use spoofed JSON web tokens (JWTs) to gain Administrator privileges on the SharePoint host.
“An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user,” Microsoft said.
“The attacker needs no privileges nor does the user need to perform any action.”
While CISA’s decision to add the bug to the KEV Catalog is based on “evidence of active exploitation,” the agency did not elaborate on what that evidence was.
Last September another researcher, Valentin Lobstein, published on GitHub a proof of concept (PoC) exploit for CVE-2023-29357.
“While this [PoC] script focuses on elevation of privilege, attackers with malicious intent might chain this vulnerability with a Remote Code Execution (RCE) vulnerability (CVE-2023-24955) to compromise the integrity, availability, and confidentiality of the target system,” Lobstein said.
“The script outputs details of admin users with elevated privileges and can operate in both single and mass exploit modes. However, to maintain an ethical stance, this script does not contain functionalities to perform RCE and is meant solely for educational purposes and lawful and authorized testing.”
Security researcher Kevin Beaumont warned organizations last year to patch CVE-2023-29357 and CVE-2023-24955 because of the risk ransomware groups could mount attacks using the chained exploits.
After CVE-2023-29357 was added to the KEV Catalog last week, Beaumont said on Mastodon: “I am aware of one ransomware group that finally has a working exploit for this.”
Now that the bug has been added to the catalog, all U.S. Federal Civilian Executive Branch government agencies have until Jan. 31 to apply the patch to any affected systems.
CVE-2023-24955 has not been added to the KEV Catalog.