CyberWatch

Actively Exploited Microsoft SharePoint Server Vulnerability

By

By

Access Point Consulting

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability to its known exploited vulnerability catalog, CVE-2023-29357, that has a CVSS score of 9.8 CRITICAL and is an Escalation of Privilege vulnerability that affects Microsoft SharePoint Server. For CISA to add vulnerabilities to its Known Exploited Vulnerabilities catalog, three key criteria must be met. First, the vulnerability must have a CVE ID, second,  reliable evidence that the vulnerability has been actively exploited in the wild exists, and third, clear remediation action for the vulnerability is available. When a vulnerability is added to this list, it should be patched with urgency and in a particular way.

Impact Assessment

This vulnerability, which impacts Microsoft SharePoint Server 2019, allows a network-based attacker to perform high impact Confidentiality, Integrity, and Availability exploits in a low complexity manner, without user interaction or privileges. According to Microsoft, an attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack that bypasses authentication measures and is able to gain access to the privileges of an authenticated user and even  potentially gaining administrator privileges.

What it means for you

Reviewing your software inventory for instances of Microsoft SharePoint Server 2019. If you have instances of this software, check for installations of KB5002402 and KB5002403. If these installations do not exist you are vulnerable and should patch as soon as possible.

Remediation

To remediate this vulnerability it is essential to install both KB5002402 and KB5002403 using one of three methods:

  • Using Microsoft Update
  • Downloading and deploying standalone packages from the Microsoft Update Catalog, or
  • Obtaining a standalone update package from Microsoft Download Center for both KBs.

Customers who have enabled the AMSI integration feature and use Microsoft Defender across their SharePoint Server farm(s) are protected from this vulnerability.

Business Implications

Exploitation of this vulnerability is likely due to evidence of active exploitation and the level and ease of access this vulnerability grants to the attacker. If exploited it can allow the attacker to obtain administrator privileges which will grant the attack the ability to whatever they wish on the targeted system which could allow them to laterally move through the environment and infect systems with malware. Monetary, reputational, and data loss will likely result from exploitation.

Access Point Technology Recommends

Patch: We recommend following vendor instructions and patching as soon as possible. Few vulnerabilities are added to the CISA Exploited Vulnerabilities list, Those that are should be taken seriously and remediated quickly.

Associated Bulletins

https://nvd.nist.gov/vuln/detail/CVE-2023-29357

https://www.cisa.gov/news-events/alerts/2024/01/10/cisa-adds-one-known-exploited-vulnerability-catalog

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29357

Resources

Trending Articles & Security Reports

Resources

CyberWatch

October 25, 2024

Ransomware, Supply Chain Attacks, and Nation-State Threats

CyberWatch, by Access Point Consulting, is your weekly source for emerging cybersecurity news, regulatory updates, and threat intelligence. Backed by experts in security consulting, regulatory compliance, and security operations, Access Point enables you to manage cyber risks, respond to incidents, and drive innovation in your company. Read here or on our website; listen on Spotify or Apple Podcasts; or watch on YouTube.website; listen on Spotify or Apple Podcasts; or watch on YouTube. .

Find out more
October 7, 2024

VINs and Losses: How Hackers Take Kias for a Ride

In the age of smart cars and connected devices, convenience often comes with hidden risks. A recently discovered critical vulnerability in Kia vehicles serves as a stark reminder of how our increasingly digital world is making cars new targets for cyberattacks. This vulnerability allowed hackers to remotely control various vehicle functions—using nothing more than a car's license plate number. It highlights the growing threat of cyberattacks on connected cars and the importance of cybersecurity in the automotive industry.

Find out more
October 3, 2024

Vulnerability in SolarWinds Managed File Transfer Server Actively Exploited

CVE-2024-28995 SolarWinds has issued a critical update for a zero-day vulnerability in its Serv-U MFT Server, allowing attackers to bypass security and access restricted files without authentication. Actively exploited, this flaw poses a significant risk for businesses that delay applying the fix.

Find out more