CISA warns that attackers are actually exploiting a important Microsoft SharePoint privilege escalation vulnerability that may be chained with one other important bug for distant code execution.
Tracked as CVE-2023-29357, the safety flaw allows distant attackers to get admin privileges on unpatched servers by circumventing authentication utilizing spoofed JWT auth tokens.
“An attacker who has gained entry to spoofed JWT authentication tokens can use them to execute a community assault which bypasses authentication and permits them to realize entry to the privileges of an authenticated consumer,” Microsoft explains.
“An attacker who efficiently exploited this vulnerability might achieve administrator privileges. The attacker wants no privileges nor does the consumer have to carry out any motion.”
Remote attackers also can execute arbitrary code on compromised SharePoint servers through command injection when chaining this flaw with the CVE-2023-24955 SharePoint Server distant code execution vulnerability.
This Microsoft SharePoint Server exploit chain was efficiently demoed by STAR Labs researcher Jang (Nguyễn Tiến Giang) throughout final yr’s March 2023 Pwn2Own contest in Vancouver, incomes a $100,000 reward.
The researcher printed a technical evaluation on September 25 describing the exploitation course of intimately.
Just someday later, a safety researcher additionally launched a CVE-2023-29357 proof-of-concept exploit on GitHub.
Since then, many different PoC exploits for this chain have surfaced on-line, decreasing the exploitation bar and permitting even less-skilled risk actors to deploy it in assaults.
While it has but to supply extra particulars on CVE-2023-29357 energetic exploitation, CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog and now requires US federal companies to patch it by the top of the month, on January 31.