Advisory January 12, 2024

Microsoft SharePoint Vulnerability CVE-2023-29357 Exploited in the Wild

Obrela TI Team

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical security vulnerability impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog. Tracked as CVE-2023-29357, this vulnerability, with a high CVSS score of 9.8, allows for privilege escalation, enabling attackers to gain administrator privileges by exploiting spoofed JWT authentication tokens, thereby executing a network attack that bypasses authentication and grants unauthorized access to authenticated user privileges.

Exploit Details

Security researcher Nguyễn Tiến Giang (Jang) of StarLabs SG demonstrated the exploit at the Pwn2Own Vancouver hacking contest. The exploit combines CVE-2023-29357 with a code injection vulnerability, CVE-2023-24955 (CVSS score: 7.2), patched by Microsoft in May 2023. The chaining of these vulnerabilities forms a pre-authenticated remote code execution chain, allowing attackers to execute arbitrary code on affected SharePoint Servers.

Real-world Exploitation

U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added CVE-2023-29357 to its Known Exploited Vulnerabilities (KEV) catalog. The real-world exploitation specifics and the identity of threat actors remain unknown. However, federal agencies are strongly advised to apply the provided patches by January 31, 2024, to mitigate the active threat.

Solution

Microsoft has released patches for both vulnerabilities as part of the May and June 2023 Patch Tuesday updates. Immediate application of these patches is strongly recommended to safeguard against potential exploitation. Despite the current PoC limitations, it’s crucial to recognize that threat actors may adapt and enhance the exploit for malicious purposes.

References

cyber shield, security

Start Now