.svg)
.svg)
In June 2023, Microsoft released patches to address security issues found in Microsoft SharePoint [1]. CVE-2023-29357 is a critical privilege escalation vulnerability that can be leveraged to remote code execution when combined with other vulnerabilities. Since CVE-2023-29357 has a CVSS score of 9.8 (Critical) and publicly available proof-of-concept (PoC), organizations are advised to update their vulnerable SharePoint Servers as soon as possible.
In this blog, we explained how the Microsoft SharePoint CVE-2023-29357 exploit works.
What is Microsoft SharePoint CVE-2023-29357 Elevation of Privilege Vulnerability?
Microsoft releases patches for its products on the second Tuesday of every month. This is called Patch Tuesday. On Patch Tuesday of June 2023, Microsoft released a security patch for a privilege escalation vulnerability found in Microsoft SharePoint. CVE-2023-29357 allows an unauthenticated attacker to gain administrator-level privileges when exploited. The vulnerability has a CVSS score of 9.8 (Critical) and can be chained with a code injection vulnerability for remote code execution in vulnerable SharePoint servers. Organizations are advised to patch their SharePoint Server 2019 products to build 16.0.10399.20005 or higher.
CVE-2023-29357 is an authentication bypass vulnerability that adversaries may use to impersonate any SharePoint user. If the impersonated user is a privileged account, such as an administrator, the attacker will gain elevated privileges in the victim's network. In the wild, adversaries may chain CVE-2023-29357 vulnerability with other vulnerabilities for remote code execution.
How Does Microsoft SharePoint CVE-2023-29357 Exploit Work?
CVE-2023-29357 is an authentication bypass vulnerability that allows adversaries to impersonate any valid SharePoint user. This vulnerability stems from the signature validation check used to verify JSON Web Tokens (JWTs) used for OAuth authentication. If the signing algorithm of the user-provided JWT is set to none, SharePoint skips the signature validation step due to a logic flaw in the ReadTokenCore() method. As an example, the spoofed and Base64-decoded JWT token is given below. This spoofed token is used to impersonate the Administrator user.
|
{"alg": "none"} {"iss":"00000003-0000-0ff1-ce00-000000000000", "aud": "00000003-0000-0ff1-ce00-000000000000/splab@3b80be6c-6741-4135-9292-afed8df596af", "Nbf":"1673410334", "Exp":"1693410334", "nameid":"c#.w|Administrator", "http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname":"Administrator", "Appidacr":"0", "isuser":"0", "http://schemas.microsoft.com/office/2012/01/nameidissuer":"AccessToken", "Ver":"hashedprooftoken", "endpointurl": "FVIwBWTuuWfszO7WYRZYiozMe8OaSaWO/wyDR3W6e94=", "name":"f#xw|Administrator", "identityprovider":"windOws:aaaaa", "userid":"asaadasd"} |
After impersonating the administrator user, there are several things that an adversary can do in SharePoint API. One of them is to abuse another vulnerability that allows code injection. CVE-2023-24955 is a remote code execution vulnerability that has a CVSS score of 7.2 (High). Since the impersonated account is a privileged account, attackers can replace the "/BusinessDataMetadataCatalog/BDCMetadata.bdcm" in the web root directory. The replaced file is then compiled and executed by SharePoint, allowing attackers to remotely execute commands via SharePoint API.
There are publicly available proof-of-concept (PoC) for CVE-2023-29357, and cyber threat actors are often quick to abuse known and critical vulnerabilities before organizations can patch them. Therefore, organizations are urged to patch their SharePoint servers as soon as possible.
How Picus Helps Simulate Microsoft SharePoint CVE-2023-29357 Attacks?
We also strongly suggest simulating Microsoft SharePoint CVE-2023-29357 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Log4Shell, ProxyShell, and Follina, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Microsoft SharePoint CVE-2023-29357 vulnerability exploitation attacks:
|
Threat ID |
Threat Name |
Attack Module |
|
95895 |
Microsoft Sharepoint Web Attack Campaign |
Web Application |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Microsoft SharePoint vulnerabilities and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Microsoft SharePoint vulnerabilities:
|
Security Control |
Signature ID |
Signature Name |
|
Checkpoint NGFW |
asm_dynamic_prop_XSS_SCAN |
Cross-Site Scripting Scanning Attempt |
|
Checkpoint NGFW |
asm_dynamic_prop_CVE_2020_0646 |
Microsoft .NET Framework Remote Code Execution (CVE-2020-0646) |
|
Checkpoint NGFW |
asm_dynamic_prop_CVE_2020_0932 |
Microsoft SharePoint Remote Code Execution (CVE-2020-0932) |
|
Checkpoint NGFW |
asm_dynamic_prop_CVE_2020_16952 |
Microsoft SharePoint Remote Code Execution (CVE-2020-16952) |
|
Checkpoint NGFW |
asm_dynamic_prop_CVE_2013_0081 |
Microsoft SharePoint W3WP Denial of Service (MS13-067) |
|
Cisco Firepower |
1.1288.18 |
SERVER-OTHER Microsoft Frontpage /_vti_bin/ access |
|
Cisco Firepower |
1.27818.3 |
SERVER-OTHER Microsoft SharePoint denial of service attempt |
|
Cisco Firepower |
1.61937.1 |
SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt |
|
Citrix |
1288 |
bash code injection vulnerability |
|
Citrix |
999979 |
web-frontpage /_vti_bin/ access |
|
Citrix |
1288 |
web-frontpage /_vti_bin/ access |
|
Citrix |
998639 |
web-misc microsoft sharepoint server - elevation of privilege vulnerability via authorization header (cve-2023-29357) |
|
F5 BIG-IP |
200004515 |
ASP.NET code injection - Process.Start (Parameter) |
|
F5 BIG-IP |
200004513 |
ASP.NET code injection - System.Diagnostics.Process.Start (Parameter) |
|
F5 BIG-IP |
200001490 |
confirm() (URI) |
|
Forcepoint NGFW |
HTTP_CSH-Microsoft-Sharepoint-Authentication-Bypass-CVE-2023-29357 |
|
|
Forcepoint NGFW |
HTTP_CSU-Microsoft-Sharepoint-Denial-Of-Service-Vulnerability |
|
|
Forcepoint NGFW |
HTTP_CSU-Microsoft-SharePoint-Remote-Code-Execution |
|
|
Fortigate IPS |
47918 |
applications3: MS.SharePoint.CVE-2019-0604.Remote.Code.Execution |
|
Fortigate IPS |
48866 |
applications3: MS.SharePoint.Workflows.XOML.Remote.Code.Injection |
|
Fortigate WAF |
10000150 |
Cross Site Scripting |
|
Fortigate WAF |
20000153 |
Cross Site Scripting (Extended) |
|
Fortigate IPS |
37010 |
web_server: MS.SharePoint.Server.Infinite.Looping.DoS |
|
Fortiweb |
10000150 |
Cross Site Scripting |
|
Imperva SecureSphere |
CVE-2019-0604: Microsoft SharePoint Remote Code Execution |
|
|
Imperva SecureSphere |
WEB-IIS cmd.exe access |
|
|
Mcafee |
0x4529fc00 |
HTTP: Microsoft ASP.NET Framework Remote Code Execution Vulnerability |
|
Mcafee |
0x45261c00 |
HTTP: Microsoft SharePoint Remote Code Execution (CVE-2019-0604) |
|
Mcafee |
0x45286000 |
HTTP: Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2020-16952) |
|
Mcafee |
0x452cff00 |
HTTP: Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2023-33134) |
|
Mcafee |
0x4510e800 |
HTTP: Microsoft SharePoint ws asmx Denial of Service Vulnerability |
|
Modsecurity |
932200 |
RCE Bypass Technique |
|
Modsecurity |
932150 |
Remote Command Execution: Direct Unix Command Execution |
|
Modsecurity |
932105 |
Remote Command Execution: Unix Command Injection |
|
Palo Alto |
57656 |
Microsoft .Net Framework Remote Code Execution Injection Vulnerability |
|
Palo Alto |
36107 |
Microsoft SharePoint Denial of Service Vulnerability |
|
Palo Alto |
94077 |
Microsoft SharePoint Server Remote Code Execution Vulnerability |
|
Snort |
1.2027345.3 |
ET WEB_SPECIFIC_APPS Possible SharePoint RCE Attempt (CVE-2019-0604) |
|
Snort |
1.1288.18 |
SERVER-OTHER Microsoft Frontpage /_vti_bin/ access |
|
Snort |
1.27818.3 |
SERVER-OTHER Microsoft SharePoint denial of service attempt |
|
Snort |
1.55862.2 |
SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt |
|
Snort |
1.61937.1 |
SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt |
|
Tippingpoint |
13163 |
HTTP: Microsoft SharePoint Server ws.asmx Page Request |
|
Tippingpoint |
38083 |
HTTP: Microsoft .NET Framework Code Execution Injection Vulnerability |
|
Tippingpoint |
42544 |
HTTP: Microsoft SharePoint Authentication Bypass Vulnerability (Pwn2Own ZDI-23-882) |
|
Tippingpoint |
33692 |
HTTP: Microsoft SharePoint EntityInstanceIdEncoder Deserialization Vulnerability (ZDI-19-181) |
|
Tippingpoint |
42000 |
UDP: YSoSerial.Net Deserialization Tool Usage |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus The Complete Security Validation Platform.
References
[1] "Security Update Guide - Microsoft Security Response Center." Available: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-29357. [Accessed: Sep. 27, 2023]
