CVE-2023-29357 Detection: Microsoft SharePoint Server Elevation of Privilege Vulnerability Exploitation Can Lead to Pre-Auth RCE Chain
Table of contents:
Threat actors frequently set eyes on Microsoft SharePoint Server products by weaponizing a set of RCE vulnerabilities, such as CVE-2022-29108 and CVE-2022-26923. In the early summer of 2023, Microsoft issued a patch for the newly discovered SharePoint Server elevation of privilege vulnerability known as CVE-2023-29357 and considered critical. With the CVE-2023-29357 PoC exploit recently released, attackers can gain administrator-level privileges without prior authentication in the compromised SharePoint Server instances. Chaining CVE-2023-29357 with another vulnerability tracked as CVE-2023-24955 can pose an even more serious threat to compromised users enabling attackers to gain pre-auth RCE on the targeted system.
Detect CVE-2023-29357 Exploitation Attempts
Proactive detection of vulnerability exploitation remains one of the top cybersecurity use cases due to a constantly escalating number of CVEs within popular software solutions. Weaponized for in-the-wild attacks, vulnerabilities pose a significant menace for cyber defenders, exposing organizational infrastructure to the risk of a data breach. To accelerate SOC efficiency and help security teams address existing flaws on time, SOC Prime provides a set of advanced tools aimed at hunting for vulnerability exploitation along with curated detection content to detect emerging threats on time.
With the escalating threat of potential exploitation of CVE-2023-29357 in the wild, cyber defenders are searching for ways to defend their SharePoint Server instances against malicious intrusions. The SOC Prime Team recently released a novel Sigma rule based on the publicly available PoC exploit code. The detection algorithm identifies potential CVE-2023-29357 exploitation attempts, which may be part of the pre-auth SharePoint Server RCE chain. Follow the link below to instantly access the relevant detection available in the Threat Detection Marketplace extensive rule feed:
This Sigma rule can be used across 18 cloud-native and on-prem security solutions and is aligned with the MITRE ATT&CK® framework v12 addressing the Lateral Movement tactic along with the Exploitation of Remote Services technique (T1210).
Security engineers can also take advantage of the following Sigma rules to detect more threats that can compromise the SharePoint Server devices and ensure their system is fully protected against adversary intrusions. Press the Explore Detections button to drill down to the list of relevant Sigma rules and CTI linked to them.
CVE-2023-29357 Analysis
In mid-June 2023, Microsoft issued a patch to address a critical CVE-2023-29357 vulnerability in Microsoft SharePoint Server, possessing a CVSS score of 9.8. Once exploited, this security flaw enables adversaries to obtain administrator-level privileges without the need for prior authentication. The exploitation attempts of this elevation of privilege vulnerability allow mimicking JWT authentication tokens to further launch a network attack, bypass authentication procedures, and gain access to the privileges of an authenticated user.
With PoC exploit code recently published on GitHub, CVE-2023-29357 is getting into the limelight in the cyber threat domain. While the exploit script is primarily focused on the elevation of privilege, adversaries can also take advantage of another SharePoint Server flaw known as CVE-2023–24955, leading to an RCE exploit chain and as a result, a full system compromise. From a broader perspective, the GitHub exploit script enables the impersonation of authenticated users allowing attackers to run arbitrary code disguised as the SharePoint application, potentially leading to a DoS attack. In addition, the PoC exploit code reveals admin users with elevated privileges, with the ability to operate in both single and mass exploit modes.
A cybersecurity researcher from StarLabs, Nguyễn Tiến Giang, provided an in-depth analysis of a complex pre-authentication exploit chain designed to target SharePoint Server products involving the two above-mentioned RCE security flaws. According to his research, the key challenge lies in using the authentication bypass vulnerability to access only the SharePoint API and then identifying a post-auth RCE chain through this API.
The CVE-2023-29357 flaw mainly impacts the SharePoint Server 2019 software version, which requires immediate attention from organizations and individual users leveraging relevant instances to prevent the potential compromise. To mitigate the threat, Microsoft recommends the installation of all security updates relevant to the 2019 software version in use. In addition to patching, another mitigation measure can be enabling the AMSI integration functionality and leveraging Microsoft Defender across SharePoint Server instances.
The public availability of the CVE-2023-29357 PoC exploit can lead to the growing risks of vulnerability exploitation in the wild. Rely on SOC Prime to be the first to know about the latest CVEs, explore tailored intelligence, and the entire collection of relevant Sigma rules.