Microsoft SharePoint, the online collaboration suite, was infested with an authentication bug that allows an attacker to gain admin privileges by chaining it with another bug.
This vulnerability was discovered by a security researcher in Pwn2Own last year and has received a patch recently. And since it’s actively being exploited in the wild, CISA asked it’s federal agencies to patch their SharePoint servers immediately.
RCE Bug in Microsoft SharePoint
Microsoft’s SharePoint server is noted to have a critical security bug tracked as CVE-2023-29357, it allows remote attackers to gain admin privileges by circumventing authentication. They can do so by spoofing the JWT auth tokens and “execute a network attack which bypasses authentication and allows them to gain access with the privileges of an authenticated user“, says Microsoft.
Furthermore, attackers can also inject arbitrary code on compromised SharePoint servers by chaining this flaw with another SharePoint RCE bug, tracked as CVE-2023-24955. Microsoft says that an “attacker needs no privileges nor does the user need to perform any action” to perform this.
This exploit was demoed by STAR Labs researcher Jang(Nguyễn Tiến Giang) during last year’s March 2023 Pwn2Own contest, earning him a $100,000 reward. In September 2023, the researcher published a technical analysis of this exploit in detail.
A day later, another security researcher released a proof-of-concept exploit for CVE-2023-29357, but in a limited edition. The PoC is useless unless an attacker uses the CVE-2023-24955 bug to gain RCE capabilities.
Saying that the PoC’s functionality is contained “to maintain an ethical stance” reason, the developer said the “script outputs details of admin users with elevated privileges and can operate in both single and mass exploit modes“.
While there are other PoCs that have been surfaced online for this significant bug, none have provided any details for the CVE-2023-29357 bug, making it effectively useless. Yet, CISA added the vulnerability to it’s Known Exploited Vulnerabilities Catalog and asked US federal agencies to patch it by January 31, 2024.
Other Trending News:- News