CISA warns of two actively exploited vulnerabilities (CVE-2023-24955 & CVE-2023-29357) in Microsoft’s SharePoint servers 

CISA warns of two actively exploited vulnerabilities (CVE-2023-24955 & CVE-2023-29357) in Microsoft’s SharePoint servers 

Microsoft SharePoint users were warned by the CISA of the two vulnerabilities (tracked as CVE-2023-24955 and CVE-2023-29357) that are actively exploited.  

These vulnerabilities can be leveraged by the attackers to gain unauthenticated remote access on unpatched servers. Both of these vulnerabilities are critical and are to be patched immediately.  

By exploiting the CVE-2023-29357 vulnerability, attackers can leverage JWT (JSON Web Token)auth tokens (acquired through spoofing) to gain admin-level privileges.    

They could engage in the destruction, exfiltration, or corruption of sensitive organizational data. They could leverage the privileges to manipulate the permissions and cause massive operational disruption in organizations utilizing SharePoint. The CVE-2023-24955 vulnerability allows attackers with authentication and Site Owner privileges to remotely execute code on all the vulnerable servers.  

Experts have found that there was a sudden increase in the exploitation with more than 150,000 devices at risk of exposure after the publish of Proof-of-Concept exploit.  

Proof of Concept for the CVE-2023-29357 vulnerability has already been published on Github that attackers can alter and complete the attack chain with the CVE-2023-24955 vulnerability to engage in RCE attacks on all the vulnerable servers, highly impacting the availability, accessibility, security, and confidentiality of the servers.   

Private organizations are advised to keep their SharePoint servers updated with the latest security patches to defend against attacks based on exploiting these vulnerabilities.  

CISA has stressed that these vulnerabilities pose a significant threat to federal enterprises. They have warned that cybercriminals often use these attack vectors to gain access to sensitive information. Federal agencies are alerted about these vulnerabilities and are advised to treat them on an immediate basis. 

SharkStriker’s action & recommendations

SharkStriker’s SOC team has performed threat hunting to identify known Indicators of Compromise (if any). Upon investigating, no evidence of exploitation was found. They are continuously monitoring the SharePoint environment for security.  

The following are some of the recommendations and measures against the vulnerabilities are as follows: 

• A security advisory was released warning all the SharkStriker customers and partners using SharePoint servers to immediately patch their servers to block all the attacks orchestrated by exploiting these vulnerabilities.  
• We developed various defense measures such as new detection rules against CVE-2023-29357 & CVE-2023-24955   
• Users are advised to enable Anti-Malware Scan Interface (AMSI) on SharePoint 
• Our Threat Researchers are keeping up with further developments in the threat landscape specific to the SharePoint vulnerabilities 
• Customer can quickly check cybersecurity posture through STRIEGO