Mar 27, 2024NewsroomThreat Intelligence / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a security flaw impacting the Microsoft Sharepoint Server to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation in the wild.

The vulnerability, tracked as CVE-2023-24955 (CVSS score: 7.2), is a critical remote code execution flaw that allows an authenticated attacker with Site Owner privileges to execute arbitrary code.

“In a network-based attack, an authenticated attacker as a Site Owner could execute code remotely on the SharePoint Server,” Microsoft said in an advisory. The flaw was addressed by Microsoft as part of its Patch Tuesday updates for May 2023.

The development comes more than two months after CISA added CVE-2023-29357, a privilege escalation flaw in SharePoint Server, to its KEV catalog.

It’s worth pointing out that an exploit chain combining CVE-2023-29357 and CVE-2023-24955 was demonstrated by StarLabs SG at the Pwn2Own Vancouver hacking contest last year, earning the researchers a $100,000 prize.

That said, there is currently no information on the attacks weaponizing these two vulnerabilities and the threat actors that may be exploiting them.

Microsoft previously told The Hacker News that “customers who have enabled automatic updates and enable ‘Receive updates for other Microsoft products’ option within their Windows Update settings are already protected.”

Federal Civilian Executive Branch (FCEB) agencies are required to apply the fixes by April 16, 2024, to secure their networks against active threats.

Jan 12, 2024NewsroomCyber Attack / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security vulnerability impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The issue, tracked as CVE-2023-29357 (CVSS score: 9.8), is a privilege escalation flaw that could be exploited by an attacker to gain administrator privileges. Microsoft released patches for the bug as part of its June 2023 Patch Tuesday updates.

“An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user,” Redmond said. “The attacker needs no privileges nor does the user need to perform any action.”

Security researcher Nguyễn Tiến Giang (Jang) of StarLabs SG demonstrated an exploit for the flaw at the Pwn2Own Vancouver hacking contest, earning a $100,000 prize.

The pre-authenticated remote code execution chain combines authentication bypass (CVE-2023–29357) with a code injection bug (CVE-2023-24955, CVSS score: 7.2), the latter of which was patched by Microsoft in May 2023.

“The process of discovering and crafting the exploit chain consumed nearly a year of meticulous effort and research to complete the full exploit chain,” Tiến Giang noted in a technical report published in September 2023.

Additional specifics of the real-world exploitation of CVE-2023–29357 and the identity of the threat actors that may be abusing them are presently unknown. That said, federal agencies are recommended to apply the patches by January 31, 2024, to secure against the active threat.