The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially included a critical vulnerability affecting Microsoft SharePoint Server in its Known Exploited Vulnerabilities (KEV) catalog, highlighting evidence of active exploitation within various environments. This vulnerability, identified as CVE-2023-29357, has garnered a significant CVSS score of 9.8, indicating its severity and potential for exploitation.
The core of this issue is a privilege escalation flaw, which malicious actors can leverage to obtain administrator-level access. In response to this threat, Microsoft rolled out patches during its June 2023 Patch Tuesday updates, aimed at mitigating this risk for users and organizations reliant on SharePoint Server.
According to experts, an attacker who compromises spoofed JWT authentication tokens can initiate a network attack that bypasses standard authentication protocols, thereby gaining access equivalent to that of an authenticated user. Importantly, the attacker does not require any prior privileges, nor does the end user need to take any specific actions for the attack to be successful.
Security researcher Nguyễn Tiến Giang (Jang) from StarLabs SG demonstrated the exploit at the recent Pwn2Own Vancouver cybersecurity competition, successfully showcasing its efficacy and earning a $100,000 reward for his findings. Jang elaborated that the complete process of discovering and developing the exploit required almost a year of rigorous research and effort, underscoring the complexity involved in such a cybersecurity issue.
The vulnerability exploits a pre-authenticated remote code execution mechanism that integrates an initial authentication bypass (CVE-2023-29357) with a code injection fault (CVE-2023-24955), the latter of which was patched by Microsoft in May 2023. This combination of vulnerabilities highlights the potential extensive nature of the attack vector.
While specific instances of real-world attacks utilizing CVE-2023-29357 have yet to be fully detailed, federal agencies have been advised to implement the necessary patches by January 31, 2024, to protect against the identified threats actively. Cybersecurity professionals must remain vigilant and proactive in their patch management practices to defend against such vulnerabilities.
In a statement to The Hacker News, a Microsoft representative confirmed that a fix for CVE-2023-29357 has been available since June of the previous year. They advised users who have activated automatic updates, as well as those who have opted to receive updates for all Microsoft products within their Windows Update settings, will already be safeguarded against this vulnerability.
In conclusion, this incident reflects broader trends in cybersecurity, particularly concerning privilege escalation tactics that attackers increasingly exploit. Companies utilizing Microsoft SharePoint should assess their cybersecurity protocols to defend against potential exploitation and keep abreast of further developments.
