Exploit for Microsoft SharePoint Server 2019 authentication bypass published (October 2023)

Posted on 2023-10-08 by guenni

Sicherheit (Pexels, allgemeine Nutzung)[German]I'll post a short information for Sharepoint administrators here in the blog. Microsoft has already published an authentication bypass vulnerability (CVE-2023-29357) in June 2023. So the vulnerability can be closed via update. Now a security researcher has made public an exploit to exploit the vulnerability.

Advertising

Notes already in June 2023

I had already pointed out the CVE-2023-29357 vulnerability in the June 2023 blog post Microsoft Security Update Summary (June 13, 2023).

CVE-2023-29357: Microsoft SharePoint Server Elevation of Privilege Vulnerability,  CVEv3 Score 9.8, critical; It is an EoP vulnerability in Microsoft SharePoint Server 2019.

A remote, unauthenticated attacker can exploit the vulnerability by sending a forged JWT authentication token to a vulnerable server. This gives the attacker the privileges of an authenticated user on the target system. According to the advisory, no user interaction is required for an attacker to exploit this vulnerability.

Microsoft also provides remediation guidance for the vulnerability, stating that users who use Microsoft Defender in their SharePoint Server farms and have AMSI enabled are not affected. CVE-2023-29357 has been rated as Exploitation More Likely, according to Microsoft's Exploitability Index. The vulnerability was closed with the June 2023 updates for SharePoint Server (see also Microsoft Office Updates (June 13, 2023), Update KB5002402 SharePoint Server 2019).

According to Trend Micro's Zero Day Initiative (ZDI), CVE-2023-29357 was used in a successful demonstration of a chained attack during the Pwn2Own competition in Vancouver in March. ZDI notes that while Microsoft recommends enabling AMSI as a remediation measure, it "has not tested the effectiveness of this measure."

Exploit published

Nguyễn Tiến Giang from Vietnam has published a technical analysis of the vulnerability in the post [P2O Vancouver 2023] SharePoint Pre-Auth RCE chain (CVE-2023–29357 & CVE-2023–24955). As of October 2, 2023, someone wrote on Twitter that they had managed to target the CVE-2023-29357 and CVE-2023-24955 vulnerabilities in Microsoft SharePoint 2019. The chaining of the vulnerabilities allows unauthenticated users to execute arbitrary commands on the server.

Advertising

SharePoint 2019 Exploit

Administrators should update SharePoint Server 2019 as soon as possible. However, those who patch promptly should be protected on Microsoft SharePoint Server 2019 regarding CVE-2023-29357. The colleagues from Bleeping Computer have gathered some more information around the issue in this article.

Advertising
This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).