SharePoint Shakedown: Hackers Exploit Duo of Vulnerabilities for Pre-Auth RCE Mayhem

In a digital game of cat and mouse, CISA plays the vigilant feline, alerting agencies to patch up a mischievous SharePoint vulnerability duo before hackers pounce. Remember folks, an unpatched server is a cyber burglar’s playground!

Hot Take:

It’s like a bad sequel in the cybersecurity movie franchise: “Attackers vs SharePoint.” Just when you thought your document collaboration was safe, along come two vulnerabilities joined in unholy matrimony, ready to tango through your servers. Let’s all give a round of applause to the dynamic duo CVE-2023-24955 and CVE-2023-29357, making it rain remote code execution (RCE) and admin privileges like confetti at a hacker’s parade. CISA’s like the chaperone at the prom, trying to keep the dance floor secure, but everyone knows the real party is happening in the unpatched server room.

Key Points:

  • SharePoint’s got a leaky ship with CVE-2023-24955, allowing site owners to become the captains of your server.
  • The sidekick CVE-2023-29357 sneaks attackers in through the VIP entrance with fake JWT tokens.
  • These vulnerabilities played the “get-together” game at Pwn2Own, showing off their RCE dance moves.
  • GitHub’s the new mixtape drop spot, where PoC exploits get released faster than a celebrity scandal.
  • CISA’s playing whack-a-mole, adding these flaws to the “patch-it-now-or-else” list for federal agencies.
Title: Microsoft SharePoint Server Remote Code Execution Vulnerability
Cve id: CVE-2023-24955
Cve state: PUBLISHED
Cve assigner short name: microsoft
Cve date updated: 12/14/2023
Cve description: Microsoft SharePoint Server Remote Code Execution Vulnerability

Title: Microsoft SharePoint Server Elevation of Privilege Vulnerability
Cve id: CVE-2023-29357
Cve state: PUBLISHED
Cve assigner short name: microsoft
Cve date updated: 01/09/2024
Cve description: Microsoft SharePoint Server Elevation of Privilege Vulnerability

Need to know more?

Party Crashers in the Server Room

Remember the days when SharePoint was just a cozy corner for team projects and not a stage for cyber gladiators? CVE-2023-24955 is out here giving authenticated attackers with a taste for power the ability to execute code on your servers remotely. It's like finding out the quiet intern has the keys to the executive washroom.

Disguises and Surprise Parties

Then there's CVE-2023-29357, the master of disguise, offering remote attackers admin privileges on a silver platter by faking JWT auth tokens. Talk about a surprise party; one minute you're chilling, the next you've got uninvited guests raiding your data fridge.

Showtime at Pwn2Own

Our vulnerability duo didn't just slide into the DMs of your servers; they went full Hollywood at Pwn2Own, with STAR Labs researcher Nguyễn Tiến Giang (a.k.a. Janggggg) showcasing their RCE duet. It's like "Dancing with the Stars," only the stars are exploitable bugs, and everyone's watching with popcorn, not praise.

Exploit Mixtapes on GitHub

GitHub has become the SoundCloud for exploits, where anyone with a browser can snag a proof-of-concept (PoC) exploit mixtape. CVE-2023-29357 had its debut there, and while it didn't grant full RCE, it's just a remix away from a club banger that could get the whole internet dancing (or crashing).

CISA's Playbook: Patch or Perish

Finally, CISA's stepping in like a stern librarian, shushing the ruckus by adding these flaws to the "please patch this, or you'll regret it" catalog. U.S. federal agencies have been given their curfew: patch CVE-2023-29357 by January 31, and don't forget your dance partner CVE-2023-24955 by April 16. It's less of a suggestion and more of a "do it, or else" kind of deal.

While CISA's coy about any actual exploits in the wild, they're pretty clear that these vulnerabilities are like catnip for cyber attackers. And even though the KEV catalog is meant for federal agencies, the private sector might want to take a hint and get their patch party started before the real crashing begins.

Tags: CVE-2023-24955, CVE-2023-29357, Known Exploited Vulnerabilities Catalog, Microsoft Sharepoint, privilege escalation, proof of concept (PoC), Remote code execution (RCE)