Exploit for under-siege SharePoint vuln reportedly in hands of ransomware crew
It’s taken months for crims to hack together a working exploit chain
Security experts claim ransomware criminals have got their hands on a functional exploit for a nearly year-old critical Microsoft SharePoint vulnerability that was this week added to the US's must-patch list.
Without specifically identifying the gang, researcher Kevin Beaumont said that at least one ransomware group has a working exploit for the critical vulnerability, which can potentially achieve remote code execution (RCE) although the US Cybersecurity and Infrastructure Security Agency (CISA) said its use in ransomware campaigns is currently "unknown."
When vulnerabilities are added to CISA's known exploited vulnerabilities (KEV) list, it means two things: Federal civilian executive branch (FCEB) agencies have three weeks to patch them, and they're being actively exploited by cybercrims.
Tracked as CVE-2023-29357, the SharePoint vulnerability in question was first identified by Nguyễn Tiến Giang (Jang) of Singaporean security house STAR Labs. Back in March 2023, during Vancouver's Pwn2Own contest, he chained it with another bug to achieve unauthenticated RCE on a SharePoint server.
CVE-2023-29357 is a critical elevation of privileges (EoP) vulnerability that carries a 9.8 severity score. Microsoft originally addressed this in June 2023's Patch Tuesday, and Jang published a detailed rundown of how the exploit chain was developed a few months later in September.
Proof of concept (PoC) code for CVE-2023-29357 was published to GitHub the following day, but wasn't constructed in a way that revealed how to chain it with CVE-2023-24955, or any other RCE bug, to achieve the pre-auth RCE exploit that earned Jang his $100,000 prize at Pwn2Own.
Researchers warned in September that the publication of the PoC code provided a foundation from which cybercriminals could build a working exploit, and it was highly important to patch both vulnerabilities as soon as possible.
Beaumont said at the time he expected ransomware attacks using the two vulnerabilities to begin "in [the] coming weeks."
The addition to CISA's KEV catalog means it has taken cybercriminals months to start exploiting the vulnerability, despite having the bare-bones tools to do so.
- New year, new updates for security holes in Windows, Adobe, Android and more
- And that's a wrap for Babuk Tortilla ransomware as free decryptor released
- Apache OFBiz zero-day pummeled by exploit attempts after disclosure
- Google password resets not enough to stop these info-stealing malware strains
When PoC code is published for any given vulnerability, attacks typically soar in the days after as baddies race to develop working exploits before organizations can plug the holes.
The delay, in this case, might be explained by the difficulty involved in chaining CVE-2023-29357 together with CVE-2023-24955 – a feat Jang said took him and his team "nearly a year of meticulous effort and research" to achieve before demonstrating it at Pwn2Own.
Microsoft addressed CVE-2023-29357 in June and CVE-2023-24955 in May 2023, but IT admins have been reminded that simply applying the June 2023 Patch Tuesday updates won't automatically protect their organizations.
Manual, SharePoint-specific patches are required to ensure the fixes are applied properly as patches won't be installed by Windows Update.
The EOP vulnerability itself was originally designated by Microsoft as "exploitation more likely" with a "low" attack complexity.
"An attacker who successfully exploited this vulnerability could gain administrator privileges," its advisory reads. It also hasn't been updated since June to reflect the active exploitation.
"An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user. The attacker needs no privileges nor does the user need to perform any action."
CVE-2023-24955 was also designated "exploitation more likely" status with a "low" attack complexity, but carried a less severe rating of 7.2 due to privileges being required to remotely exploit it.
According to an advisory from NHS Digital, there is currently no known PoC code for the RCE vulnerability circulating online so those exploiting it will have developed it themselves and kept it a secret, for now. ®