Summary
The Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability to its known exploited vulnerability catalog, CVE-2023-29357, that has a CVSS score of 9.8 CRITICAL and is an Escalation of Privilege vulnerability that affects Microsoft SharePoint Server. For CISA to add vulnerabilities to its Known Exploited Vulnerabilities catalog, three key criteria must be met. First, the vulnerability must have a CVE ID, second, reliable evidence that the vulnerability has been actively exploited in the wild exists, and third, clear remediation action for the vulnerability is available. When a vulnerability is added to this list, it should be patched with urgency and in a particular way.
Impact Assessment
This vulnerability, which impacts Microsoft SharePoint Server 2019, allows a network-based attacker to perform high impact Confidentiality, Integrity, and Availability exploits in a low complexity manner, without user interaction or privileges. According to Microsoft, an attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack that bypasses authentication measures and is able to gain access to the privileges of an authenticated user and even potentially gaining administrator privileges.
What it means for you
Reviewing your software inventory for instances of Microsoft SharePoint Server 2019. If you have instances of this software, check for installations of KB5002402 and KB5002403. If these installations do not exist you are vulnerable and should patch as soon as possible.
Remediation
To remediate this vulnerability it is essential to install both KB5002402 and KB5002403 using one of three methods:
- Using Microsoft Update
- Downloading and deploying standalone packages from the Microsoft Update Catalog, or
- Obtaining a standalone update package from Microsoft Download Center for both KBs.
Customers who have enabled the AMSI integration feature and use Microsoft Defender across their SharePoint Server farm(s) are protected from this vulnerability.
Business Implications
Exploitation of this vulnerability is likely due to evidence of active exploitation and the level and ease of access this vulnerability grants to the attacker. If exploited it can allow the attacker to obtain administrator privileges which will grant the attack the ability to whatever they wish on the targeted system which could allow them to laterally move through the environment and infect systems with malware. Monetary, reputational, and data loss will likely result from exploitation.
Access Point Technology Recommends
Patch: We recommend following vendor instructions and patching as soon as possible. Few vulnerabilities are added to the CISA Exploited Vulnerabilities list, Those that are should be taken seriously and remediated quickly.
Associated Bulletins
https://nvd.nist.gov/vuln/detail/CVE-2023-29357
https://www.cisa.gov/news-events/alerts/2024/01/10/cisa-adds-one-known-exploited-vulnerability-catalog
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29357