CISA Issues Warning on Exploited Microsoft SharePoint Vulnerabilities


The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the exploitation of a code injection vulnerability in Microsoft SharePoint, which can be combined with a critical privilege escalation flaw to conduct pre-auth remote code execution attacks.

Known as CVE-2023-24955, this vulnerability in SharePoint Server permits authenticated attackers with Site Owner privileges to execute code remotely on vulnerable servers.

Additionally, a second flaw identified as CVE-2023-29357 allows remote attackers to attain admin privileges on susceptible SharePoint servers by bypassing authentication using forged JWT auth tokens.

These two security vulnerabilities in SharePoint Server can be chained together by unauthenticated attackers to achieve remote code execution on unpatched servers. Researcher Nguyễn Tiến Giang (Janggggg) demonstrated this capability during the March 2023 Pwn2Own contest in Vancouver.

A proof-of-concept exploit for CVE-2023-29357 was published on GitHub on September 25, followed by a technical analysis by the researcher detailing the exploitation process.

Although the initial PoC exploit did not facilitate remote code execution on targeted systems, threat actors could potentially modify it to incorporate CVE-2023-24955 exploitation capabilities for RCE attacks. Several PoC exploits targeting this chain have subsequently emerged online, including one from Star Labs, simplifying its use for less skilled attackers.

CISA responded by adding the CVE-2023-29357 flaw to its Known Exploited Vulnerabilities Catalog in October and directed U.S. federal agencies to patch it by January 31.

Recently, CISA included the CVE-2023-24955 code injection vulnerability in its list of actively exploited security flaws. As per the BOD 22-01 binding operational directive, federal agencies are mandated to secure their SharePoint servers by April 16.

Although specific details about attacks leveraging these SharePoint vulnerabilities were not disclosed by CISA, the agency affirmed that there is no evidence of their involvement in ransomware attacks.

CISA emphasizes the importance of addressing these vulnerabilities promptly, noting their significance as common attack vectors for malicious cyber actors. While the KEV catalogue primarily targets federal agencies, private organizations are also urged to prioritize patching this exploit chain to mitigate potential attacks.