CISA adds patched MS SharePoint server vulnerability to KEV catalog

A patched privilege escalation vulnerability impacting Microsoft SharePoint servers has been added to the known exploited vulnerabilities (KEV) catalog of the US Cybersecurity and Infrastructure Security Agency (CISA).

Citing evidence of active exploitation, CISA has tagged the critical severity bug Microsoft previously released fixes for as part of its June 2023 Patch Tuesday updates.

Tracked as CVE-2023-29357, the vulnerability (CVSS 9.8) allows an unauthenticated attacker, who has gained access to spoofed JSON Web Token (JWT) authentication tokens, to use them for executing a network attack, according to the KEV entry.

“This attack bypasses authentication, enabling the attacker to gain administrator privileges,” said CISA in the entry. “Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.”

Possible exploits include pre-authentication RCE

While specifics of the real-world exploitations of CVE-2023-29357 remain unknown, a StarLabs security researcher, Nguyễn Tiến Giang, successfully demonstrated a 2-bug chain exploitation of it at a computer hacking contest, PWN2OWN held in March 2023.

The contest exploit had combined two vulnerabilities to achieve pre-auth remote code execution (RCE) on the SharePoint server. While the first vulnerability (CVE-2023-29357) allowed bypassing authentication on SharePoint OAuth authentication by taking advantage of a flawed signature validation algorithm for JWT tokens, a second code injection vulnerability (CVE-2023-24955) allowed inserting arbitrary code with already obtained SharePoint owner permissions.

“While the live demonstration lasted only approximately 30 seconds, it is noteworthy that the process of discovering and crafting the exploit chain consumed nearly a year of meticulous effort and research to complete the full exploit chain,” Giang said in a blog post after winning a $100,000 prize for the demonstration.

CISA has advised users to update their systems by January 31 to secure against active threats.