Rewterz Threat Update – Highly Critical Microsoft SharePoint Vulnerabilities Being Actively Exploited by Threat Actors

Severity

High

Analysis Summary

CISA has issued a warning about a critical Microsoft SharePoint privilege escalation flaw being actively exploited by attackers by chaining it with another critical vulnerability to achieve remote code execution.

This vulnerability tracked as CVE-2023-29357 allows remote threat actors to gain admin privileges on unpatched servers by using spoofed JWT auth tokens to avoid authentication. A malicious user with access to spoofed JWT authentication tokens can leverage them to attack the network which bypasses security authentication and gives access to the privileges of an authentication user. This way, the attacker requires no privileges nor does the user need to perform any action.

Threat actors can remotely execute arbitrary code on infected SharePoint servers using command injection when this vulnerability is combined with the CVE-2023-24955 SharePoint Server remote code execution flaw. A security researcher was successfully able to demo this exploit chain in March 2023 and published a technical analysis on 25^th September to detail the exploitation process. A day later, another researcher publicly released a CVE-2023-29357 proof-of-concept exploit.

The exploit doesn’t allow remote code execution on the compromised systems as it is not a complete exploit for the demoed chain, but the author said that the attackers could combine it with the CVE-2023-24955 vulnerability themselves to achieve remote code execution. Other PoC exploits for this chain have also surfaced online that lower the exploitation bar and allow even inexperienced threat actors to use it in attacks.

CISA has not provided any further details on the active exploitation of CVE-2023-29357. However, it has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog and requires all U.S. federal agencies to patch their systems by January 31.

Impact

• Privilege Escalation
• Code Execution
• Unauthorized Access

Indicators of Compromise

CVE

• CVE-2023-29357
• CVE-2023-24955

Remediation

• Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.