2023-9-28 01:1:23 Author: www.tenable.com(查看原文) 阅读量:25 收藏
A proof-of-concept exploit chain has been released for two vulnerabilities in Microsoft SharePoint Server that can be exploited to achieve unauthenticated remote code execution.
Background
On September 25, STAR Labs researcher Nguyễn Tiến Giang (Jang) published a blog post outlining the successful chaining of CVE-2023-29357 and CVE-2023-24955 to achieve remote code execution (RCE) against Microsoft SharePoint Server. The exploit chain was demonstrated at the Zero Day Initiative’s (ZDI) Pwn2Own contest held in Vancouver in March.
Image Source: Zero Day Initiative, March 2023
On September 26, a proof-of-concept (PoC) for the exploit chain was released on GitHub. The authors of the PoC point out that RCE is not achievable with the current PoC in order to “maintain an ethical stance.” However malicious actors often take advantage of public PoC code and incorporate them into attack tools, so we encourage patching these vulnerabilities as soon as possible.
Analysis
CVE-2023-29357 is an elevation of privilege (EoP) vulnerability in Microsoft SharePoint Server that was assigned a CVSSv3 score of 9.8 and rated critical. A remote, unauthenticated attacker can exploit the vulnerability by sending a spoofed JSON Web Token (JWT) authentication token to a vulnerable server giving them the privileges of an authenticated user on the target. According to Microsoft’s advisory, no user interaction is required in order for an attacker to exploit this flaw. This vulnerability was patched during Microsoft’s June 2023 Patch Tuesday release.
CVE-2023-24955 is a RCE vulnerability affecting Microsoft SharePoint Server. The vulnerability was assigned a CVSSv3 score of 7.2 and could allow an authenticated Site Owner to execute code on an affected SharePoint Server. This RCE was patched as part of the May 2023 Patch Tuesday release.
Both of these vulnerabilities are credited to Jang and were reported to Microsoft by ZDI in coordination with the researcher.
Creating the exploit chain
According to the STAR Labs blog post, nearly a full year of research efforts went into crafting the exploit chain. By combining an authentication bypass (CVE-2023-29357) with a code injection vulnerability (CVE-2023-24955), Jang was able to achieve unauthenticated RCE. A video demonstration of the attack chain can be found on YouTube.
Solution
Both of these vulnerabilities have been patched by Microsoft as part of the May and June 2023 Patch Tuesday releases. We recommend applying the patches as soon as possible. While the currently released PoC does not achieve RCE out of the box, it's likely that threat actors will be able to modify the exploit and weaponize it for malicious use.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities can be found here.
For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.
Get more information
- STAR Labs Blog:[P2O Vancouver 2023] SharePoint Pre-Auth RCE chain (CVE-2023-29357 & CVE-2023-24955)
- Tenable Blog: Microsoft’s June 2023 Patch Tuesday Addresses 70 CVEs (CVE-2023-29357)
- Tenable Blog: Microsoft’s May 2023 Patch Tuesday Addresses 38 CVEs (CVE-2023-29336)
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Scott Caveza
Scott joined Tenable in 2012 as a Research Engineer on the Nessus Plugins team. Over the years, he has written hundreds of plugins for Nessus, and reviewed code for even more from his time being a team lead and manager of the Plugins team. Previously leading the Security Response team and the Zero Day Research team, Scott is currently a member of the Security Response team, helping the research organization respond to the latest threats. He has over a decade of experience in the industry with previous work in the Security Operations Center (SOC) for a major domain registrar and web hosting provider. Scott is a current CISSP and actively maintains his GIAC GWAPT Web Application Penetration Tester certification.
Interests outside of work: Scott enjoys spending time with his family, camping, fishing and being outdoors. He also enjoys finding ways to break web applications and home renovation projects.
Related Articles
- Exposure Management
Cybersecurity News You Can Use
Enter your email and never miss timely alerts and security guidance from the experts at Tenable.
Tenable Vulnerability Management
Formerly Tenable.io
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin, Tenable Web App Scanning and Tenable Cloud Security.
Tenable Vulnerability Management
Formerly Tenable.io
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
65 assets
Choose Your Subscription Option:
Thank You
Thank you for your interest in Tenable.io. A representative will be in touch soon.
Try Tenable Nessus Professional Free
FREE FOR 7 DAYS
Tenable Nessus is the most comprehensive vulnerability scanner on the market today.
NEW - Tenable Nessus Expert
Now Available
Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.
Fill out the form below to continue with a Nessus Pro Trial.
Buy Tenable Nessus Professional
Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.
Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin, Tenable Web App Scanning and Tenable Cloud Security.
BUY
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
65 assets
Choose Your Subscription Option:
Thank You
Thank you for your interest in Tenable.io. A representative will be in touch soon.
Try Tenable Web App Scanning
Formerly Tenable.io Web Application Scanning
Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.
Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management, Tenable Lumin and Tenable Cloud Security.
Buy Tenable Web App Scanning
Formerly Tenable.io Web Application Scanning
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
Try Tenable Lumin
Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.
Your Tenable Lumin trial also includes Tenable Vulnerability Management, Tenable Web App Scanning and Tenable Cloud Security.
Buy Tenable Lumin
Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.
Thank You
Thank you for your interest in Tenable Lumin. A representative will be in touch soon.
Request a demo of Tenable Security Center
Formerly Tenable.sc
Please fill out this form with your contact information.
A sales representative will contact you shortly to schedule a demo.
* Field is required
Request a demo of Tenable OT Security
Formerly Tenable.ot
Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.
Request a demo of Tenable Identity Exposure
Formerly Tenable.ad
Continuously detect and respond to Active Directory attacks. No agents. No privileges.
On-prem and in the cloud.
Try Tenable Cloud Security
Formerly Tenable.cs
Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now. To learn more about the trial process click here.
Your Tenable Cloud Security trial also includes Tenable Vulnerability Management, Tenable Lumin and Tenable Web App Scanning.
Contact a Sales Rep to Buy Tenable Cloud Security
Contact a Sales Representative to learn more about Tenable Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.
Thank You
Thank you for your interest in Tenable.cs. A representative will be in touch soon.
See
Tenable One
In Action
Exposure management for the modern attack surface.
See Tenable Attack Surface Management In Action
Formerly Tenable.asm
Know the exposure of every asset on any platform.
Thank You
Thank you for your interest in Tenable Attack Surface Management. A representative will be in touch soon.
Try Tenable Nessus Expert Free
FREE FOR 7 DAYS
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.
Buy Tenable Nessus Expert
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Try Nessus Expert Free
FREE FOR 7 DAYS
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.
Buy Tenable Nessus Expert
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
如有侵权请联系:admin#unsafe.sh