[CDP-development] TLP:GREEN (Vulnerability Alert Notification) - CVE-2023-29357: Microsoft SharePoint Server Privilege Escalation Vulnerability

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Wed Jan 10 13:00:58 PST 2024 

Good afternoon,

The SOC Services team is reporting on the vulnerability: CVE-2023-29357: Microsoft SharePoint Server Privilege Escalation Vulnerability. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On January 10, 2024, CISA added CVE-2023-29357 to the Known Exploited Vulnerabilities Catalog. CVE-2023- 29357 allows remote attackers to escalate privileges on unpatched installations of Microsoft SharePoint Server, this was assigned a CVSS score of 9.8.

Security notification and patch information from Microsoft can be found below.
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-29357

Intelligence: As of January 10, 2024, the vulnerability has been confirmed as being exploited in the wild.

Workarounds: There are no workarounds for this vulnerability.

How it works: This is an elevation of privilege (EoP) vulnerability in Microsoft SharePoint Server allows a remote, unauthenticated attacker can exploit the vulnerability by sending a spoofed JSON Web Token (JWT) authentication token to a vulnerable server giving them the privileges of an authenticated user on the target. According to Microsoft's advisory, no user interaction is required for an attacker to exploit this flaw.

Post-Exploit: Upon successful exploitation of the vulnerability, a threat actor could gain administrator privileges.

The following vulnerability plugins have been released and are currently in Tenable Security Center:
Plugin
Title
Severity
177243<https://www.tenable.com/plugins/nessus/177243>
Security Updates for Microsoft SharePoint Server 2019 (June 2023)
Critical
114099<https://www.tenable.com/plugins/was/114099>
Microsoft SharePoint Server 2019 build < 16.0.10399.20005 Elevation of Privilege
Critical
187058<https://www.tenable.com/plugins/nessus/187058>
Microsoft SharePoint Authentication Bypass (CVE-2023-29357)
Critical

Additional Resources:
https://github.com/Chocapikk/CVE-2023-29357

Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Limit access to affected devices from only trusted hosts.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01DA43AC.E458ED40]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240110/f32ac966/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240110/f32ac966/attachment-0001.png>

More information about the CDP-development mailing list