The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the active exploitation of two significant vulnerabilities within Microsoft SharePoint Servers. The first vulnerability, identified as CVE-2023-24955, allows attackers with authenticated access and Site Owner privileges to execute code remotely on affected servers. The second, CVE-2023-29357, enables remote attackers to gain administrative privileges through the circumvention of authentication mechanisms by using spoofed JWT authentication tokens. These vulnerabilities can be combined to enable unauthenticated attackers to execute code remotely on unpatched SharePoint servers.
Exploitation Demonstrated and Proof-of-Concept Released
The vulnerabilities' potential for harm was demonstrated by STAR Labs researcher Nguyễn Tiến Giang (Janggggg) during the Pwn2Own contest in Vancouver in March 2023. Following this demonstration, a proof-of-concept (PoC) exploit for CVE-2023-29357 was made publicly available on GitHub on September 25, a day after a detailed technical analysis of the exploitation process was published by the researcher. Although the initial PoC exploit did not facilitate remote code execution, it has been suggested that threat actors could modify this exploit to leverage CVE-2023-24955 for remote code execution attacks. Since then, multiple PoC exploits targeting this exploit chain have appeared online, increasing the ease with which attackers could exploit these vulnerabilities.
CISA's Response and Recommendations
In response to these threats, CISA has taken significant steps to mitigate the risks posed by these vulnerabilities. The agency added CVE-2023-29357 to its Known Exploited Vulnerabilities Catalog in October, mandating U.S. federal agencies to patch the vulnerability by January 31. More recently, CVE-2023-24955 was also added to the catalog, with a compliance deadline set for April 16. These directives, part of the BOD 22-01 binding operational directive, underscore the urgency of addressing these security flaws to protect federal enterprises from potential cyberattacks.
While CISA has not provided specific details on attacks exploiting these SharePoint vulnerabilities, the agency emphasized the absence of evidence linking them to ransomware attacks. Nonetheless, CISA has highlighted the significant risk these vulnerabilities pose to the federal enterprise, urging not only federal agencies but also private organizations to prioritize patching these vulnerabilities to prevent potential attacks. The exploitation of these vulnerabilities underscores the ongoing threats faced by organizations and the importance of maintaining robust cybersecurity practices to safeguard sensitive information and infrastructure.
