A critical security vulnerability was identified in Microsoft Power Platform’s SharePoint connector. The flaw allows attackers to harvest user credentials and perform unauthorized actions within the platform upon a successful exploitation. Continue reading this Cybersecurity Threat Advisory to learn how to fully secure your environment.
What is the threat?
This vulnerability is classified as a Server-Side Request Forgery (SSRF). It arises from the “custom value” functionality within the SharePoint connector, which permits users to input their own URLs as part of a flow. An attacker with the Environment Maker and Basic User roles in Power Platform can exploit the flaw by creating a malicious flow or app and sharing it with a target user. When the victim interacts with this malicious resource, their SharePoint JSON Web Token (JWT) access token will be leaked. The attacker can then use this token to impersonate the user and send requests to the SharePoint API, gaining unauthorized access to sensitive data.
Why is it noteworthy?
This vulnerability enables attackers to exploit the SharePoint connector, allowing them to request both internal and external resources. As a result, they can access internal SharePoint resources that the user or workflow would typically not have permission to reach. Attackers can interact with other internal systems or services that remain hidden from the public internet. By harvesting credentials, attackers can impersonate users, access sensitive SharePoint data, and send it to external locations they control.
What is the exposure or risk?
Organizations using the Microsoft SharePoint connector on the Power Platform are at risk of exploitation. A successful attack could lead to data breaches, theft of credentials, privilege escalation, and allow attackers to move laterally within the network.
What are the recommendations?
Barracuda recommends the following actions to secure your environment:
- Update to the latest version to address vulnerabilities.
- Limit permissions by granting only necessary access to Power Apps and Flows, minimizing potential damage.
- Implement strong input validation and sanitization to prevent unexpected manipulation by attackers.
Reference
For more in-depth information about the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
