Potential for Pre-Authentication Remote Code Execution Chain on SharePoint Server 2019

Potential exploit chain would involve a privilege escalation vulnerability and a remote code execution vulnerability

Threat ID:: CC-4388
Threat Severity:: Medium
Threat Vector:: Exploit
Published:: 5 October 2023 5:26 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Potential exploit chain would involve a privilege escalation vulnerability and a remote code execution vulnerability

Affected platforms

The following platforms are known to be affected:

Versions: 2019

Microsoft SharePoint Server

Threat details

Introduction

A technical analysis describing how attackers could chain together two vulnerabilities to compromise a vulnerable version of Microsoft SharePoint Server 2019 was published.

A public proof-of-concept (PoC) exploit kit has been released for the first of these vulnerabilities, CVE-2023-29357, which is a critical authentication bypass vulnerability rated with a CVSSv3 score of 9.8. An attacker exploiting this vulnerability could escalate privileges.

The other vulnerability rated as critical by Microsoft is known as CVE-2023-24955 and could lead to remote code execution (RCE) if exploited by an attacker who has SharePoint site owner permissions. At the time of publication, this vulnerability does not have a public PoC.

Together, these two vulnerabilities could be chained together to achieve pre-authentication RCE, allowing a remote, unauthenticated attacker to take control of a system.

Exploitation of CVE-2023-29357 and CVE-2023-24955

CISA have added this vulnerability to their known exploited vulnerabilities catalogue.

A proof-of-concept has been posted to GitHub for the privilege escalation vulnerability known as CVE-2023-29357. A Microsoft SharePoint Server code injection vulnerability, known as CVE-2023-24955, has also been reported to have active exploitation in the wild.

Threat updates

Date	Update
27 Mar 2024	Active exploitation of CVE-2023-24955 This alert has been updated to reflect this change.
11 Jan 2024	Active exploitation of CVE-2023-29357 This alert has been updated to reflect this change.

Remediation advice

Affected organisations should review the advisories in the "Remediation steps" section and apply the relevant security updates or mitigations.

Security updates were initially released in May and June 2023 for CVE-2023-24955 and CVE-2023-29357 in Cyber Alerts CC-4317 and CC-4338, respectively.

Remediation steps

Type	Step
Patch	Security updates were released in June 2023 for CVE-2023-29357 in Cyber Alert CC-4338. The link below points to the relevant Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29357
Patch	Security updates were released in May 2023 for CVE-2023-24955 in Cyber Alert CC-4317. The link below points to the relevant Microsoft advisory. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24955

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2023-24955

Microsoft SharePoint Server Remote Code Execution Vulnerability

Status Published

CVE-2023-29357

Microsoft SharePoint Server Elevation of Privilege Vulnerability

Last edited: 27 March 2024 2:32 pm