In a recent development on the code management platform GitHub, a proof-of-concept exploit for a critical security vulnerability in Microsoft SharePoint has surfaced. This vulnerability, registered as CVE-2023-29357 and having a CVSS rating of 9.8, allows malicious actors to escalate their privileges on vulnerable servers without any authentication or user interaction.
Microsoft’s Swift Response: June Patch Release
Microsoft promptly responded to this threat by releasing a patch in June. At that time, the company stated that an attacker could exploit the vulnerability using fake JWT authentication tokens to execute a network attack, bypass authentication, and gain access to the privileges of an authenticated user. Importantly, this exploitation does not require any special privileges or actions from the targeted user.
Part of a Sophisticated Exploit Chain
This week, a security researcher from Star Labs published a technical analysis describing how he successfully exploited CVE-2023-29357 in combination with another critical security vulnerability, CVE-2023-24955, during the Pwn2Own competition in March 2023 in Vancouver. His sophisticated approach allowed him to execute custom code on a SharePoint server remotely, earning him a $100,000 prize for the discovery.
GitHub Discovery and Potential Exploits
Surprisingly, just one day after the publication of this analysis, a proof-of-concept exploit for CVE-2023-29357 appeared on GitHub. While this exploit alone does not enable remote code execution (RCE) since it does not cover the entire exploit chain demonstrated by the Star Labs researcher, attackers could potentially combine it with CVE-2023-24955 to restore full functionality.
The repository’s description clarifies that the script does not contain RCE functions and is intended solely for educational and legitimate testing purposes.
Urgent Call to Action: Apply Microsoft’s Patches
Administrators are strongly advised to apply the patches provided by Microsoft if they have not done so already. A security update for CVE-2023-24955 has been available since May. Now that technical details for exploiting both vulnerabilities are publicly known, it is only a matter of time before attackers replicate the entire exploit chain and deploy it on a large scale. Your swift action is crucial to protect your systems.