Security researchers have identified two critical vulnerabilities in Microsoft SharePoint Server, leading to the development of an exploit allowing remote code execution. The first vulnerability, CVE-2023-29357 (CVSS 9.8), is a privilege escalation flaw in SharePoint Server 2019. Microsoft released a patch for it in June. This flaw allows malicious actors to bypass authentication mechanisms and gain elevated privileges without user interaction. The second, CVE-2023-24955 (CVSS 7.3), is related to remote code execution, affecting SharePoint Server 2019, 2016, and SharePoint Server Subscription Edition. Microsoft resolved this bug in May.
Both issues are considered critical, with over 100,000 SharePoint servers accessible on the Internet potentially at risk, according to the Censys platform. Researchers from StarLabs have published exploit details, showing how the discovered defects can be used for remote code execution without authentication. The exploit can be executed by creating a false JWT token, using a signing algorithm to generate an identifier that simulates administrator rights. This algorithm allows token modification without detection as it does not require a digital signature. A false key enables software initiation on the server using the CVE-2023-24955 vulnerability.
Valentin Lobshtein, an independent specialist from Oteria Cyber School, has posted a proof-of-concept code on GitHub demonstrating the exploitation of CVE-2023-29357. This code shows how a malicious user can pretend to be a legitimate user and obtain elevated privileges on unpatched SharePoint systems. In an interview with Dark Reading, Lobstein explained that such attacks could lead to severe consequences, from the loss of confidential data to Denial of Service (DoS). He also mentioned another exploit presented by the VNPT Information Technology Company team.
Although Microsoft has not yet commented, the company previously advised enabling AMSI integration on SharePoint and using Microsoft Defender as a precaution against CVE-2023-29357. SOCRadar emphasized the importance for organizations using SharePoint Server, especially the 2019 version, to act as soon as possible. The risks from the exploit’s use by attackers have significantly increased since its publication.
Source: Red Hot Cyber
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.