Microsoft SharePoint Server Elevation of Privilege Vulnerability Exploit (CVE-2023-29357)
Summary:
In June 2023, Microsoft released a critical security patch addressing an elevation of privilege vulnerability in SharePoint, identified as CVE-2023-29357. This advisory provides crucial information regarding the vulnerability (which becomes relevant due to its recently uploaded publicly available Proof of Concept), its exploitation, and recommended defensive measures to protect your SharePoint Server environment.
Vulnerability Description:
CVE-2023-29357 is a critical elevation of privilege vulnerability in Microsoft SharePoint Server. If exploited, an attacker can gain administrator-level privileges without requiring any prior authentication. The vulnerability allows attackers to spoof JWT authentication tokens, enabling them to execute network attacks, bypass authentication processes, and access privileges of authenticated users without user interaction.
Exploitation Details: A researcher, Nguyễn Tiến Giang, presented an in-depth analysis of a compound exploit chain targeting SharePoint during the Pwn2Own Vancouver 2023 event. The exploit chain consists of two key vulnerabilities:
- Authentication Bypass: Attackers can impersonate SharePoint users by generating valid JWTs using the ‘none’ signing algorithm, bypassing signature validation checks during OAuth authentication.
- Code Injection: Users with ‘Owners’ permissions can inject arbitrary code by replacing the /BusinessDataMetadataCatalog/BDCMetadata.bdcm file, which is subsequently executed by SharePoint.
The primary challenge in this exploit chain is leveraging the Authentication Bypass flaw to access the SharePoint API and identifying a post-auth RCE chain.
Exploit in the Wild:
A public exploit script for CVE-2023-29357 has been released on GitHub, allowing attackers to elevate privileges on affected SharePoint Server installations. This script could potentially be chained with other RCE vulnerabilities to compromise system confidentiality, integrity, and availability. Features of the script include user impersonation and detailed output, but it is intended for educational and ethical use only.
Affected Versions:
This vulnerability directly affects SharePoint Server 2019. Successful exploitation was confirmed on SharePoint 2019 (version 16.0.10396.20000) with the March 2023 patches (KB5002358 and KB5002357) applied.
Defensive Measures:
Organizations running SharePoint Server, especially version 2019, are urged to take immediate action to protect their systems:
- Install Security Updates: Microsoft recommends installing all security updates related to SharePoint Server.
- AMSI Integration and Microsoft Defender: Enable the AMSI (Antimalware Scan Interface) integration feature and employ Microsoft Defender across your SharePoint Server farms. This provides an additional layer of protection.
With the public availability of the exploit script, the risk of malicious exploitation has significantly increased. Immediate patching and implementation of recommended mitigations are essential to mitigate potential security breaches and data compromises.
The SOC teams of OBRELA remain vigilant and are closely monitoring clients’ infrastructure regarding potential exploitation attempts.
References:
- https://socradar.io/microsoft-sharepoint-server-elevation-of-privilege-vulnerability-exploit-cve-2023-29357/
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-29357
- https://github.com/Chocapikk/CVE-2023-29357
- https://nvd.nist.gov/vuln/detail/CVE-2023-29357
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29357