{"id":9701,"date":"2019-05-13T07:55:37","date_gmt":"2019-05-13T05:55:37","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=9701"},"modified":"2021-11-30T06:59:26","modified_gmt":"2021-11-30T05:59:26","slug":"sharepoint-vulnerability-cve-2019-0604-exploited-in-the-wild","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2019\/05\/13\/sharepoint-vulnerability-cve-2019-0604-exploited-in-the-wild\/","title":{"rendered":"SharePoint Vulnerability CVE-2019-0604 exploited in the wild"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2019\/05\/13\/schwachstelle-cve-2019-0604-gefhrdet-sharepoint-server\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]A brief note to administrators of SharePoint servers. A vulnerability CVE-2019-0604 is now being exploited 'in the wild' to attack unpatched SharePoint systems. Microsoft has released security updates in February 2019.<\/p>\n<p><!--more--><\/p>\n<h2>SharePoint is under attack<\/h2>\n<p>I already stumbled across a tweet by Kevin Beaumont (@GossiTheDog) on Saturday, who made the topic public. <\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p lang=\"en\" dir=\"ltr\"> CVE-2019-0604 is being exploited in the wild  It's a web based remote code execution vuln without need for authentication, plus Microsoft had to reissue the patch later as the first one didn't fix the vulnerability &#8211; so lots of places are exposed. <a href=\"https:\/\/t.co\/qBDxwyJWi4\">https:\/\/t.co\/qBDxwyJWi4<\/a><\/p>\n<p>\u2014 Kevin Beaumont \u200d\u2640\ufe0f (@GossiTheDog) <a href=\"https:\/\/twitter.com\/GossiTheDog\/status\/1126833629236215808?ref_src=twsrc%5Etfw\">10. Mai 2019<\/a><\/p><\/blockquote>\n<p><span id=\"preservea4a3b870ad534784855634fae386d44f\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>Woody Leonhard mentioned it <a href=\"https:\/\/www.askwoody.com\/2019\/running-sharepoint-server-better-get-your-patches-brought-up-to-date\/\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a> and <a href=\"https:\/\/mspoweruser.com\/microsoft-now-has-a-reason-to-worry-about-sharepoint-servers\/\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a> is also a mention. According to a report by security researchers at AT&amp;T Alien Labs, threat actors are currently trying to exploit the Microsoft Sharepoint vulnerability CVE-2019-0604 during attacks in the wild. The Security Affairs website <a href=\"https:\/\/web.archive.org\/web\/20210123195605\/https:\/\/securityaffairs.co\/wordpress\/85324\/breaking-news\/ms-sharepoint-cve-2019-0604-flaw.html\" target=\"_blank\" rel=\"noopener noreferrer\">writes here<\/a>: <\/p>\n<blockquote>\n<p>AlienLabs has seen a number of reports related to the active exploitation of the CVE-2019-0604 vulnerability in Microsoft Sharepoint.<\/p>\n<\/blockquote>\n<p>The security researchers at AT&amp;T Alien Labs reported on attacks against organizations in Saudi Arabia and Canada. A <a href=\"https:\/\/web.archive.org\/web\/20190703180718\/https:\/\/www.ncsc.gov.sa\/wps\/portal\/ncsc\/home\/Alerts\/!ut\/p\/z1\/lVLRboJAEPwaH8kud-cBj2elYKkxYgpyLwYR67VyaEts-_c9apM2aYS6T3PJ3O7szIKEJUidn9Rj3qha53vzziRf2fbYDUmA9zMnGqMYzRe3QxpQMUVIQIIsdHNodpDp4rXYq_UAWzDAXV2VZ7xq4arULflQqA1khBPGiyGxkOWOxYiXW57tEWvLGS9dToi33kD6NR0njIU2I9EsRkRBkzCk7o2NAQX5W5w7cgTOEZOJmER0HvHv_x0E2b1cz3zyv_l4oQReqf-vQNndfmEcvzuTLntoIlZPx6MUJsdaN-V7A8v-INM2yh5z-uRlZj3nZ70g8bjpEDt-Evt0ljBIT6p8gwddv1TmFhdXXk-IcKgql34oU1aQWs_bqU_ZJ0-OxIA!\/dz\/d5\/L2dBISEvZ0FBIS9nQSEh\/\" target=\"_blank\" rel=\"noopener noreferrer\">report<\/a> based on evidence from the Saudi Cyber Security Centre suggests that threat actors are primarily targeting organizations within the Kingdom. The Canadian Cyber Security Centre reported (<a href=\"https:\/\/securityaffairs.co\/wordpress\/82018\/apt\/apt40-naval-industry.html\" target=\"_blank\" rel=\"noopener noreferrer\">see<\/a>) similar attacks aimed at providing the China Chopper Web Shell to ensure persistence in target networks. The security company writes in a <a href=\"https:\/\/otx.alienvault.com\/pulse\/5cd3f89df12b501c477a6fba\" target=\"_blank\" rel=\"noopener noreferrer\">short report<\/a>:<\/p>\n<blockquote>\n<p><em>\"AlienLabs has identified malware (https:\/\/pastebin.com\/bUFPhucz) that is likely an earlier version of the second-stage malware deployed in the Saudi Intrusions. <\/em><em>This malware sample was shared by a target in China.\"<\/em><\/p>\n<\/blockquote>\n<p>The malware supports multiple commands, including downloading and uploading files and running commands from the web address http[ :\/\/ ]$SERVER\/Temporary_Listen_Addresses\/SMSSERVICE.  <\/p>\n<h2>Vulnerability CVE-2019 in SharePoint<\/h2>\n<p>The vulnerability has been described <a href=\"https:\/\/www.thezdi.com\/blog\/2019\/3\/13\/cve-2019-0604-details-of-a-microsoft-sharepoint-rce-vulnerability\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a> from the Zero Point Initiative. Microsoft has addresses vulnerability <a href=\"https:\/\/web.archive.org\/web\/20201010044010\/https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2019-0604\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2019 in SharePoint<\/a> in February 2019. <\/p>\n<blockquote>\n<p>A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.  <\/p>\n<p>Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected versions of SharePoint.  <\/p>\n<p>The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages.<\/p>\n<\/blockquote>\n<p>It is a remote execution vulnerability that can be exploited by attackers to execute malicious code in the context of SharePoint applications. Updates for the various SharePoint products have been available on this website since February 2019. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]A brief note to administrators of SharePoint servers. A vulnerability CVE-2019-0604 is now being exploited 'in the wild' to attack unpatched SharePoint systems. Microsoft has released security updates in February 2019.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[69,1633],"class_list":["post-9701","post","type-post","status-publish","format-standard","hentry","category-security","tag-security","tag-sharepoint"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/9701","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=9701"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/9701\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=9701"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=9701"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=9701"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}