Cybersecurity and US infrastructure security agency (CISA) introduced to its catalog of well-known exploited vulnerabilities (KEV) a critical security deficiency affecting Microsoft Sharepoint Server. This decision was made on the basis of data on the active use of this vulnerability.
The problem that received the designation cve-2023-29357 with a critical rating of CVSS 9.8 points represents the error of increasing privileges that can be used by attackers to obtain the rights of the administrator. Microsoft released a patch, which eliminates this problem, back in June 2023, but hackers are still actively using it in attacks on vulnerable copies of Sharepoint Server.
During the operation of the vulnerability, an attacker who has access to fake JWT-TOKEN can use them to carry out a network attack, bypassing the authentication system and gaining access to the privileges of an authenticated user. For this, the attacker does not need any rights, and the user does not need to take any action.
The chain of remote execution of the code combines the vulnerability of authentication bypassing (cve-2023-29357) and code injections (cve-2023-24955, CVSS 7.2). The latter was eliminated in May 2023.
Safety specialist Nguyen Ten Jang from Starlabs Sg stated that the process of detecting and developing this operating chain took almost a year of enhanced research. Specific details of the real use of the CVE-2023-29357, as well as the personality of the attackers exploiting this vulnerability, are currently unknown. Nevertheless, it is recommended that federal agencies of the United States apply all the necessary patches until January 31, 2024 to protect against this active threat.