Active Threat Warning Given Regarding SharePoint RCE Vulnerability

The UK National Cyber Security Centre (NCSC) has lately released a security warning that companies should patch a critical remote code execution vulnerability identified in Microsoft SharePoint. The DHS Cybersecurity and Infrastructure Security Agency is likewise advising companies to apply the patch immediately to avoid being exploited.

The vulnerability, monitored as CVE-2020-16952, is caused by the inability of SharePoint to test an application package’s source markup. When exploited, an attacker can possibly use administrator privileges to execute arbitrary code in the SharePoint server farm account and the framework of the SharePoint application pool.

An attacker could exploit the vulnerability after being able to persuade a user to upload a specifically created SharePoint application package to an unsecure version of SharePoint. This is possible through a phishing campaign employing social engineering techniques.

The vulnerability’s assigned CVSS v3 base score is 8.6 out of 10. It impacts these SharePoint products:

  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Foundation 2013 Service Pack 1

The vulnerability did not affect SharePoint Online.

Hackers target SharePoint vulnerabilities because SharePoint is often employed by enterprise companies. Past SharePoint vulnerabilities were broadly exploited, including two that were mentioned in CISA’s top 10 list of most exploited vulnerabilities from 2016 to 2019.

This week, Microsoft released an out-of-band patch to fix the vulnerability. The patch should be utilized to fix the vulnerability because no mitigations can stop the exploitation of the vulnerability. The patch alters the way SharePoint inspects the source markup of downloaded application packages.

Security researcher Steven Seeley released a proof of concept exploit for the vulnerability that is publicly available on GitHub. Seeley discovered the vulnerability and informed Microsoft about it. The PoC can quickly be weaponized and so there is a high probability of developing exploits and using it in attacks on companies. When the patch was released, Microsoft was not aware of any instances of vulnerability exploitation in the wild.

NCSC stated that this PoC could be discovered by looking at HTTP headers that contain the string runat=’server’ and reviewing SharePoint page creations.

According to Rapid7 researchers, the vulnerability is highly valuable to hackers because of the simplicity of exploiting the vulnerability to get privileged access. An authenticated user having page creation privileges can exploit the bug through SharePoint’s standard permission, and could leak an arbitrary file, remarkably the application’s web.config file that could be utilized to bring about remote code execution (RCE) via .NET deserialization. The patch must be applied immediately to avoid exploitation.