The rapid appearance of publicly available exploits increases the likelihood of attacks.
The Cybersecurity and Infrastructure Security Agency (CISA) has expressed concern about the active exploitation of a vulnerability in the Microsoft SharePoint system that allows attackers to carry out attacks using remote code execution (RCE).
The problem is related to two vulnerabilities identified as CVE-2023-24955 and CVE-2023-29357, which in combination allow unauthorized attackers to gain administrative privileges on vulnerable SharePoint servers and execute code remotely.
The first vulnerability (CVE-2023-24955) allows attackers with site owner rights to execute code on vulnerable servers. The second one (CVE-2023-29357) allows you to remotely bypass authentication using fake JWT tokens and gain administrative privileges.
Both vulnerabilities can be combined to conduct RCE attacks on non-updated servers, as demonstrated by one of the researchers at STAR Labs at the Pwn2Own competition in Vancouver in March 2023.
Since the example of exploiting the CVE-2023-29357 vulnerability was published on GitHub in September, many PoC exploits have emerged that make attacks easier for less experienced attackers, including those published by STAR Labs.
CISA, in turn, called for the immediate elimination of these vulnerabilities, adding CVE-2023-29357 to its catalog of known exploited vulnerabilities and requiring US federal agencies to fix the problem by the end of January. And recently, on March 26, the agency added CVE-2023-24955 with a requirement to ensure the security of SharePoint servers until April 16.
While CISA did not provide specific information on attacks that exploit these vulnerabilities, it stressed that these types of problems are often targeted by cybercriminals and pose a significant risk.
CISA strongly recommends that not only federal agencies, but also private organizations should prioritize the elimination of these vulnerabilities to prevent possible attacks.
The Cybersecurity and Infrastructure Security Agency (CISA) has expressed concern about the active exploitation of a vulnerability in the Microsoft SharePoint system that allows attackers to carry out attacks using remote code execution (RCE).
The problem is related to two vulnerabilities identified as CVE-2023-24955 and CVE-2023-29357, which in combination allow unauthorized attackers to gain administrative privileges on vulnerable SharePoint servers and execute code remotely.
The first vulnerability (CVE-2023-24955) allows attackers with site owner rights to execute code on vulnerable servers. The second one (CVE-2023-29357) allows you to remotely bypass authentication using fake JWT tokens and gain administrative privileges.
Both vulnerabilities can be combined to conduct RCE attacks on non-updated servers, as demonstrated by one of the researchers at STAR Labs at the Pwn2Own competition in Vancouver in March 2023.
Since the example of exploiting the CVE-2023-29357 vulnerability was published on GitHub in September, many PoC exploits have emerged that make attacks easier for less experienced attackers, including those published by STAR Labs.
CISA, in turn, called for the immediate elimination of these vulnerabilities, adding CVE-2023-29357 to its catalog of known exploited vulnerabilities and requiring US federal agencies to fix the problem by the end of January. And recently, on March 26, the agency added CVE-2023-24955 with a requirement to ensure the security of SharePoint servers until April 16.
While CISA did not provide specific information on attacks that exploit these vulnerabilities, it stressed that these types of problems are often targeted by cybercriminals and pose a significant risk.
CISA strongly recommends that not only federal agencies, but also private organizations should prioritize the elimination of these vulnerabilities to prevent possible attacks.
