[English]Another addendum from the January 2024 patchday for Microsoft SharePoint Server. I mentioned the SharePoint Server RCE vulnerability CVE-2024-21318 in the patchday articles. This was closed with the security updates of January 9, 2023. There is a second Elevation of Privilege vulnerability CVE-2023-29357, which was already closed in June 2023 and for which an exploit is known. The US CISA has published a warning because attacks on RCE vulnerabilities have been observed in the meantime. Administrators should therefore ensure that their SharePoint servers are up to date with the latest patches.
RCE vulnerability CVE-2024-21318
I had mentioned it in the blog post Microsoft Security Update Summary (January 9, 2024) – in Microsoft SharePoint Server there is the Remote Code Execution vulnerability CVE-2024-21318. In the linked blog post, I had written that this vulnerability had been assigned a CVEv3 score of 8.8 based on a Tenable classification. Microsoft has assigned the CVSS 3.1 score of 8.8 / 7.7 to CVE-2024-21318 and categorizes the vulnerability as "important". The exploitability is categorized as "Exploitation More Likely".
An authenticated attacker with the "Site Owner" privilege can exploit the Remote Code Execution (RCE) vulnerability to inject arbitrary code into the system and execute this code in the context of SharePoint Server. In a network-based attack, there is a risk that an authenticated attacker who has at least the authorization of a site owner can write arbitrary code to inject and execute code remotely on the SharePoint Server.
Updates for Microsoft SharePoint Server Janary 2024
The updates for Microsoft SharePoint Server are listed by Microsoft in an overview for Microsoft Office on this website (and here for January 2024). Since there were no updates for the MSI versions of Microsoft Office 2016 as of January 9, 2024, I have not yet documented the available SharePoint updates in the blog:
- SharePoint Server subscription edition: KB5002540
- SharePoint Server 2019: KB5002539
- SharePoint Enterprise Server 2016: KB5002541
All updates fixes the previously mentioned RCE vulnerability CVE-2024-21318. Details are documented in the linked KB articles.
CISA warns about attacks on CVE-2023-29357
Yesterday I had already come across information about a warning from the US authority CISA (Cybersecurity and Infrastructure Defense Security Agency) (see e.g. the following image of a post on BlueSky), which warns of attacks on the old vulnerability CVE-2023-29357 in Microsoft SharePoint Server.
The background to this is that CISA has included the vulnerability CVE-2023-29357 in the catalog of known vulnerabilities that are known to be actively exploited in attacks. Administrators should therefore check whether the required patch has been installed. Below is some more information from the blog on this vulnerability.
Vulnerability CVE-2023-29357
I had already written something about the vulnerability CVE-2023-29357 in the blog post Microsoft Security Update Summary (June 13, 2023). This is an Elevation of Privilege EoP vulnerability in Microsoft SharePoint Server, which has been classified as critical with a CVEv3 score of 9.8. A remote, unauthenticated attacker can exploit the vulnerability by sending a spoofed JWT authentication token to a vulnerable server, thereby gaining the privileges of an authenticated user on the target.
According to the advisory, no user interaction is required for an attacker to exploit this vulnerability. Microsoft also provides guidance on how to fix the vulnerability, stating that users who use Microsoft Defender in their SharePoint Server farms and have AMSI enabled are not affected.
CVE-2023-29357 was categorized as "Exploitation More Likely" according to Microsoft's Exploitability Index. According to Trend Micro's Zero Day Initiative (ZDI), CVE-2023-29357 was used in a successful demonstration of a chained attack during the Pwn2Own competition in Vancouver in March. ZDI notes that while Microsoft recommends enabling AMSI as a mitigation measure, it "has not tested the effectiveness of this measure."
Security updates available since June 2023
In the blog post Microsoft Office Updates (June 13, 2023), I pointed out the security updates for Microsoft SharePint Server from June 2023 and also listed the required updates.
Exploit public since October 2023
I had already mentioned in October 2023 in the blog post Exploit for Microsoft SharePoint Server 2019 authentication bypass published (October 2023) that a security researcher had published an exploit for the long-patchable vulnerability CVE-2023-29357. The security researcher Nguyễn Tiến Giang (Jang) from StarLabs SG had demonstrated an exploit for the vulnerability at the Pwn2Own hacking competition in Vancouver and received 100,000 dollars for it.
Similar articles:
Microsoft Security Update Summary (January 9, 2024)
Microsoft Security Update Summary (June 13, 2023)
Microsoft Office Updates (June 13, 2023)
Exploit for Microsoft SharePoint Server 2019 authentication bypass published (October 2023)
