A proof-of-concept exploit code has surfaced on GitHub for a crucial authentication bypass vulnerability in Microsoft SharePoint Server. The exploit allows attackers to escalate privileges in Microsoft SharePoint Servers. Barracuda MSP recommends reviewing this Cybersecurity Threat Advisory in detail to prevent and limit potential impact.
What is the threat?
Tracked as CVE-2023-29357, this vulnerability enables unauthorized users to attain administrator privileges without any user interaction in low-complexity attacks. Attackers with access to spoof the JSON Web Token (JWT) authentication tokens can deploy them to execute network attacks. Successful attacks can lead to them circumventing authentication and giving them access to the privileges of authenticated users.
Why is it noteworthy?
Although this exploit does not grant attackers remote code execution, attackers can potentially combine it with CVE-2023-24955, which facilitates remote code execution through command junction, to achieve this objective.
What is the exposure or risk?
This vulnerability directly affects SharePoint Server 2019. Additionally, GitHub has released a public exploit script of this vulnerability which can facilitate user impersonation, letting attackers execute arbitrary code as the SharePoint application, potentially causing a denial of service (DoS) attack.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of CVE-2023-29357:
- Apply the security patches issued by Microsoft earlier this year as a preventive measure against potential attacks.
- Install all security updates related to the software in use.
- Leverage the Barracuda XDR platform for ongoing endpoint behavioral analysis, receiving real-time alerts, and proactively blocking potential threats.
For more in-depth information about the recommendations, please visit the following links:
- Exploit released for Microsoft SharePoint Server auth bypass flaw (bleepingcomputer.com)
- Microsoft SharePoint Server Elevation of Privilege Vulnerability Exploit (CVE-2023-29357) (socradar.io)
If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.