Patch actively exploited Microsoft SharePoint bug, CISA orders federal agencies (CVE-2023-24955)
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-24955 – a code injection vulnerability that allows authenticated attackers to execute code remotely on a vulnerable Microsoft SharePoint Server – to its KEV catalog and is demanding that US federal civilian agencies implement the patch for it by April 16.
As per usual, details about the attack in which the flaw is leveraged have not been shared.
About CVE-2023-24955 and CVE-2023-29357
CVE-2023-24955 and CVE-2023-29357, a Microsoft SharePoint Server flaw that allows attackers to bypass authentication and achieve admin privileges, were exploited by security researcher Nguyễn Tiến Giang (Jang) in March 2023 at Pwn2Own Vancouver, to achieve pre-authentication RCE on a fully patched machine running SharePoint 2019 (16.0.10396.20000).
Microsoft released patches for the two vulnerabilities in May and June 2023, respectively.
The researcher published a technical analysis of his exploit chain in September 2023, and published the PoC exploit in December 2023. (A standalone PoC exploit for CVE-2023-29357 has also been published on GitHub in September 2023.)
But luckily it took some time for attackers to exploit CVE-2023-29357 in the wild: CISA added it to the KEV catalog in January 2024.
Patch quickly (if you haven’t already)
“This CISA advisory highlights the importance of patching and updating your software regularly, especially for private and public-facing servers that handle sensitive data. These chained vulnerabilities are very serious because they allow attackers to circumvent authentication and execute code remotely on vulnerable servers,” Ray Kelly, a Fellow at Synopsys Software Integrity Group, told Help Net Security.
“However, it’s important to point out that security patches for these vulnerabilities have been available since last summer. The fact that CISA is now warning us about active exploitation indicates that many organizations have failed to apply the necessary security updates in a timely manner. Malicious actors will always look for the easy targets and an unpatched server will always be easing pickings for them.”
CISA’s KEV catalog is compiled for US Federal Civilian Executive Branch (FCEB) agencies, but all organizations – including private ones – can and should use it to help prioritize their vulnerability management efforts.