Key Takeaways:
- CISA has issued a warning about the exploitation of a critical vulnerability (CVE-2023-29357) in Microsoft SharePoint.
- The flaw allows unauthenticated attackers to attain administrative privileges on unpatched servers.
- Microsoft released the June 2023 Patch Tuesday updates to address the privilege escalation vulnerability affecting SharePoint servers.
The Cybersecurity and Infrastructure Security Agency (CISA) has raised concerns about the active exploitation of a critical vulnerability in Microsoft SharePoint. The security flaw (tracked as CVE-2023-29357) allows unauthenticated attackers to gain administrative privileges on unpatched servers.
The Microsoft SharePoint vulnerability was first discovered by STAR Labs researcher Nguyễn Tiến Giang (Jang) during Vancouver’s Pwn2Own contest in March 2023. He exploited the flaw with another vulnerability to perform unauthenticated remote code execution on a SharePoint server.
Specifically, CVE-2023-29357 is a critical privileges escalation vulnerability that carries a 9.8 severity score and affects SharePoint Server 2016 and 2019. It enables hackers to use spoofed JSON Web Token (JWT) authentication tokens to gain administrative access to a target server. JSON Web Tokens are a URL-safe means of representing claims, which ensure the integrity and authenticity of information transmitted between two parties.
“An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user. The attacker needs no privileges nor does the user need to perform any action,” Microsoft explained.
Ransomware group creates exploit for critical SharePoint vulnerability
Microsoft released a patch to fix a vulnerability in SharePoint back in June 2023. However, in September, a security researcher published a proof of concept (PoC) code for the same security flaw on GitHub. The PoC didn’t explain how to use it with CVE-2023-24955 or any other vulnerability to launch remote code execution attacks.
According to cybersecurity researcher Kevin Beaumont, a ransomware group has developed a working exploit for the SharePoint vulnerability. Microsoft warned that just installing the June 2023 Patch Tuesday updates won’t be sufficient to protect organizations. It’s highly recommended that IT administrators should manually deploy security patches on SharePoint in order to block ransomware attacks.