MS SharePoint Server CRITICAL Vulnerabilities

?

Details are emerging of an exploit chain combining two vulnerabilities affecting the current, on-premise version (2019) of Microsoft’s SharePoint Server (specifically, version 16.0.10396.20000).

Initially reported to Microsoft by a security researcher working alongside Trend Micro, CVE-2023-29357 is a low-complexity, escalation of privilege vulnerability with a critical CVSS rating of 9.8. A remote, unauthenticated attacker is able to spoof a JSON authentication token which would grant them the privileges of an authenticated user on a vulnerable server.

This is where it gets interesting – after successfully leveraging that vulnerability, an attacker could then proceed to deploy arbitrary code remotely as an authenticated user by employing CVE-2023-24955, a code injection vulnerability with a CVSS score of 7.2.

The original researchers have uploaded a short video to YouTube which gives a limited demonstration of this PoC exploit chain. Thankfully, Microsoft released patches in May & June of this year to mitigate this threat, released as KB5002402 & KB5002403 respectively. If you haven’t already, you should definitely patch now, either by downloading the patches directly or running Windows Update on the affected machines.

According to Microsoft, these vulnerabilities are already mitigated for users that have enabled AMSI (Anti-Malware Scan Interface) with MS Defender in their SharePoint estate, you can find more information on deploying that technology here.

World-renowned security researcher Florian Roth has released a Yara rule to detect exploitation activity which you can find on his GitHub page and is summarised here:

rule LOG_EXPL_SharePoint_CVE_2023_29357_Sep23_1 {
?? meta:
????? description = "Detects log entries that could indicate a successful exploitation of CVE-2023-29357 on Microsoft SharePoint servers with the published Python POC"
????? author = "Florian Roth (with help from @LuemmelSec)"
????? reference = "https://twitter.com/Gi7w0rm/status/1706764212704591953?s=20"
????? date = "2023-09-28"
????? modified = "2023-09-29"
????? score = 70
?? strings:
????? /*
???????? references:
???????? https://x.com/TH3C0DEX/status/1707503935596925048?s=20
???????? https://x.com/theluemmel/status/1707653715627311360?s=20 (plus private chat)
????? */
????? $xr1 = /GET [a-z\.\/_]{0,40}\/web\/(siteusers|currentuser) - (80|443) .{10,200} python-requests\/[0-9\.]{3,8} [^ ]{1,160} [^4]0[0-9] /
?? condition:
????? $xr1
}        

?

If you think you may be affected by this, or you’re not sure, get in touch with us at e2e-assure through our channels or by email and we will be happy to work with you to ensure you remain protected.