CISA SharePoint Vulnerability Warning: RCE Flaw Exploited
In light of recent cyber threats, a CISA SharePoint vulnerability warning has been issued. According to media reports, threat actors are exploiting the remote code execution flaw to launch arbitrary code, which allows them to have Site Owner privileges. This CISA SharePoint vulnerability has also been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.
In this article, we’ll explore the details of the vulnerability, learn how cybercriminals exploit it, and discuss mitigation measures that can be adopted.
CVE-2023-24955 Uncovered
This remote code execution (RCE) vulnerability has been tracked as CVE-2023-24955. As per the CISA SharePoint vulnerability warning, this flaw is being actively exploited in the wild and currently has a Common Vulnerability Scoring System (CVSS) rating of 7.2.
For those unaware of the system, it provides a numerical representation of a vulnerability’s severity. As per the CISA SharePoint vulnerability warning, this flaw, when exploited, allows attackers to acquire Site Owner privileges.
These privileges can then be elevated to execute remote code. Given that this SharePoint vulnerability can lead to executing arbitrary code, it has been ranked as highly severe and calls for necessary protection measures.
CISA SharePoint Vulnerability Attack Sequence
Prior to getting into these details of the attack sequence, it’s worth mentioning that the prevalence of this vulnerability has come two months after the CISA added CVE-2023-29357 to the KEV catalog. CVE-2023-29357 is another SharePoint server flaw that allows hackers to gain admin privileges.
Threat actors acquire such privileges by bypassing authentication protocols using JWT auth tokens. GitHub released a proof-of-concept (PoC) exploit for CVE-2023-29357 in September last year. One month later, the vulnerability was added to the KEV catalog, and agencies were ordered to patch it by January 31, 2024.
The PoC exploit does not allow threat actors to acquire remote code execution privileges on their own. However, threat actors can combine the exploitation of CVE-2023-24955 and CVE-2023-29357 to carry out malicious intentions. Such an exploit would allow them to gain both Site Owner and RCE privileges.
This attack chain was demonstrated by StarLabs SG at the Pwn2Own Vancouver hacking contest, where researchers, as per media reports, earned a $100,000 prize. Such demonstrations have made it easier for threat actors to carry out their malicious intentions. However, threat actors have not weaponized this attack chain for active exploits.
Despite this, the prevalence and severity of such vulnerabilities serve as a stark reminder for organizations and agencies to develop and deploy competent cybersecurity strategies. Shedding light on the severity of the vulnerabilities, the CISA has stated:
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”
Securing SharePoint Environments
The CISA SharePoint vulnerability warning has made it clear that the flaw is a significant threat to organizations. In addition, the flaw mentioned in the CISA SharePoint vulnerability warning is one that calls for the immediate adoption of security strategies that safeguard networks, applications, and data.
To develop such countermeasures, cybersecurity professionals must thoroughly comprehend attack chains and techniques used by threat actors to exploit known flaws. As per recent news reports, Microsoft has stated:
“Customers who have enabled automatic updates and enable ‘Receive updates for other Microsoft products’ option within their Windows Update settings are already protected.”
It’s worth mentioning here that Federal Civilian Executive Branch (FCEB) agencies are now required to apply patches to secure their networks against active threats. These patches must be applied by April 16, 2024.
Conclusion
The recent CISA SharePoint vulnerability warning has highlighted a critical RCE flaw impacting the Microsoft SharePoint server. The flaw, if exploited, gives threat actors Site Owners privileges, allowing them to execute arbitrary code. Given the severity of the flaw, implementing proactive cybersecurity measures has now become essential as they help safeguard against threats and improve the security posture.
The sources for the piece include articles in The Hacker News and BleepingComputer.