January 12, 2024 at 02:47PM
CISA warned of active exploitation of critical Microsoft SharePoint vulnerabilities, including CVE-2023-29357, which allows attackers to gain admin privileges using spoofed JWT tokens. When chained with another bug, remote code execution is possible. These exploits have gained attention after a successful demo at the Pwn2Own contest, leading to the release of proof-of-concept exploits. CISA has urged federal agencies to patch by January 31.
From the meeting notes, it is clear that a critical Microsoft SharePoint privilege escalation vulnerability, tracked as CVE-2023-29357, is being actively exploited by attackers. This flaw allows remote attackers to gain admin privileges on unpatched servers by circumventing authentication using spoofed JWT auth tokens.
Furthermore, attackers can execute arbitrary code on compromised SharePoint servers by chaining the CVE-2023-29357 vulnerability with the CVE-2023-24955 SharePoint Server remote code execution vulnerability. This exploit chain was demonstrated during last year’s March 2023 Pwn2Own contest in Vancouver, earning a $100,000 reward for the researcher who demonstrated it.
A proof-of-concept exploit for CVE-2023-29357 has been released on GitHub, allowing attackers to potentially chain it with CVE-2023-24955 for remote code execution. Additionally, several other PoC exploits for this chain have surfaced online, making it easier for threat actors to deploy it in attacks.
CISA has added the CVE-2023-29357 vulnerability to its Known Exploited Vulnerabilities Catalog and now requires U.S. federal agencies to patch it by January 31st. While CISA has not provided additional details on active exploitation, the urgency to patch this vulnerability is evident.
It is important for organizations to be aware of this active threat and take necessary measures to patch the vulnerability to prevent potential exploitation and unauthorized access to their systems.