March 27, 2024 at 12:30PM
CISA warns of attackers exploiting a Microsoft SharePoint vulnerability, enabling remote code execution and admin privilege takeover. Nguyễn Tiến Giang earned $100,000 for demonstrating its exploitation. Multiple proof-of-concept exploits have emerged, prompting CISA to order patching by January 31. This poses a significant risk, emphasizing the need for quick patching among federal and private organizations per CISA.
From the meeting notes, I have gathered the following key takeaways:
1. CISA has warned about the exploitation of a Microsoft SharePoint code injection vulnerability (CVE-2023-24955) that can be used for pre-auth remote code execution attacks when chained with a critical privilege escalation flaw.
2. Another flaw (CVE-2023-29357) allows remote attackers to gain admin privileges on vulnerable SharePoint servers by bypassing authentication using spoofed JWT auth tokens.
3. Nguyễn Tiến Giang (Janggggg) earned a $100,000 reward for demonstrating a SharePoint Server exploit chaining the two bugs during last year’s Pwn2Own contest.
4. A proof-of-concept exploit for CVE-2023-29357 was released on GitHub, and multiple PoC exploits targeting the chain have surfaced online.
5. CISA has added CVE-2023-29357 and CVE-2023-24955 to its Known Exploited Vulnerabilities Catalog, mandating U.S. federal agencies to patch them by specific deadlines.
6. CISA emphasized the significant risks posed by these vulnerabilities and advised both federal agencies and private organizations to prioritize patching the exploit chain to block potential attacks.
These takeaways highlight the urgency of addressing these vulnerabilities and the potential for widespread impact, emphasizing the need for prompt action in both public and private sector organizations.