CVE-2023-29357 in SharePoint: It's even easier for ransomware to upgrade privileges and execute code remotely

Brother

Professional
Messages
2,590
Reaction score
518
Points
83
CISA warns of a new threat after publishing an exploit to an old vulnerability.

Researchers report a serious threat: criminals involved in the distribution of ransomware viruses have obtained a working exploit for a vulnerability in the Microsoft SharePoint system. This bug, which is almost a year old, was recently added to the list of critical issues requiring immediate elimination, according to the Cybersecurity and Infrastructure Protection Agency (CISA).

However, according to CISA, the use of this exploit in extortion campaigns has not yet been recorded.

The vulnerability, identified as CVE-2023-29357, was first identified by Nguyen Tien Giang of Singapore-based STAR Labs. During the Pwn2Own competition held in Vancouver in March 2023, Giang managed to use it together with another bug to achieve unauthorized remote code execution on a SharePoint server.

CVE-2023-29357 is a critical privilege escalation vulnerability with a severity score of 9.8. Microsoft released a corresponding patch in June 2023, and Giang shared details about the development of the exploit a few months later, in September.

The day after Giang was published, a prototype code for CVE-2023-29357 was posted on GitHub. However, this code did not contain instructions on how to integrate it with other vulnerabilities, including CVE-2023-24955, which was necessary to create a comprehensive exploit. It was this approach that allowed Giang to win a $ 100,000 prize at Pwn2Own.

One of the researchers, Kevin Beaumont, expressed the opinion that attacks using these defects may begin in the coming weeks.

As a rule, after the publication of a proof of concept for any vulnerability, the number of attacks increases dramatically. Currently, the delay may be due to the fact that CVE-2023-29357 and CVE-2023-24955 are quite difficult to combine. According to Giang, it took his team almost a year of effort and research.

Microsoft released patches for CVE-2023-29357 in June and for CVE-2023-24955 in May 2023. However, administrators are reminded that applying the June updates does not guarantee full protection. Requires specialized patches for SharePoint that are not automatically installed via Windows Update.

CVE-2023-24955 is also rated as easily exploitable, with a less serious rating of 7.2, because it requires certain privileges to be used remotely.

According to information from NHS Digital, there are currently no known code prototypes for the RCE vulnerability online. This means that those who exploit it developed the exploit independently and keep it secret. This highlights the need for increased vigilance and timely implementation of updates on the part of IT professionals.

The situation reminds us that the world of cybersecurity is constantly evolving, and rapid response to new threats, as well as regular security updates, are critical for protecting organizations data and infrastructure. It also serves as a warning to all SharePoint users that underestimating cyber threats can lead to serious consequences and losses.
 
Top