March 27, 2024 at 06:42AM
CISA added the CVE-2023-24955 SharePoint flaw, part of an exploit chain for unauthenticated remote code execution, to its Known Exploited Vulnerabilities list, after it was demonstrated at Pwn2Own. Microsoft patched this flaw in May 2023. CISA’s catalog now holds four exploited SharePoint vulnerabilities, with CVE-2023-24955 requiring attention by government organizations by April 16.
Based on the meeting notes, the key takeaways are:
1. CISA added a second SharePoint vulnerability, CVE-2023-24955, to its Known Exploited Vulnerabilities (KEV) list, joining CVE-2023-29357.
2. Both CVE-2023-24955 and CVE-2023-29357 were demonstrated by the Star Labs team at Pwn2Own Vancouver and patched by Microsoft in May and June 2023, respectively.
3. The vulnerabilities were part of an exploit chain allowing unauthenticated remote code execution on SharePoint servers with elevated privileges.
4. The exploit chain earned the Star Labs team $100,000 at Pwn2Own.
5. The Star Labs team disclosed their findings in September and released a Proof of Concept (PoC) exploit in mid-December.
6. CISA is aware of attacks exploiting the vulnerabilities but clarifies that the known attacks do not involve ransomware.
7. Microsoft’s advisories for both vulnerabilities have an exploitation assessment of ‘exploitation more likely’, although there is no information on in-the-wild exploitation.
8. CISA’s KEV list currently includes four exploited SharePoint vulnerabilities since 2019, and the latest entry, CVE-2023-24955, requires attention from government organizations by April 16.
This information highlights the urgency for organizations, particularly government entities, to address the CVE-2023-24955 vulnerability and stay vigilant against potential exploitation.