Microsoft SharePoint Under Attack: CISA Issues Alert

The Cybersecurity and Infrastructure Security Agency (CISA) has expressed concern over the active exploitation of a vulnerability within the Microsoft SharePoint system, which allows malefactors to launch attacks via remote code execution (RCE).

The issue stems from two vulnerabilities, identified as CVE-2023-24955 and CVE-2023-29357, which together enable unauthorized assailants to gain administrative privileges on vulnerable SharePoint servers and execute code remotely.

The first vulnerability (CVE-2023-24955) permits attackers with site owner rights to execute code on the vulnerable servers. The latter (CVE-2023-29357) facilitates the remote circumvention of authentication using forged JWT tokens, thereby obtaining administrative privileges.

Both vulnerabilities can be combined to conduct RCE attacks on servers that have not been updated, as demonstrated by a researcher from STAR Labs at the Pwn2Own contest in Vancouver in March 2023.

Following the publication of an exploitation example for CVE-2023-29357 on GitHub in September, numerous PoC exploits have surfaced, simplifying the attack process for less experienced malefactors, including those published by STAR Labs.

In response, CISA has urged for the immediate rectification of these vulnerabilities, adding CVE-2023-29357 to its catalog of known exploited vulnerabilities and mandating that federal agencies in the US rectify the issue by the end of January. More recently, on March 26, the agency also included CVE-2023-24955, demanding the security of SharePoint servers be ensured by April 16.

While CISA has not provided specific information on attacks utilizing these vulnerabilities, it emphasized that such issues often become targets for cybercriminals and pose a significant risk.

CISA strongly recommends not only federal agencies but also private organizations prioritize addressing these vulnerabilities to prevent potential attacks.