A patched privilege escalation vulnerability impacting Microsoft SharePoint servers has been added to the known exploited vulnerabilities (KEV) catalog of the US Cybersecurity and Infrastructure Security Agency (CISA).
Citing evidence of active exploitation, CISA has tagged the critical severity bug Microsoft previously released fixes for as part of its June 2023 Patch Tuesday updates.
Tracked as CVE-2023-29357, the vulnerability (CVSS 9.8) allows an unauthenticated attacker, who has gained access to spoofed JSON Web Token (JWT) authentication tokens, to use them for executing a network attack, according to the KEV entry.
“This attack bypasses authentication, enabling the attacker to gain administrator privileges,” said CISA in the entry. “Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.”
Possible exploits include pre-authentication RCE
While specifics of the real-world exploitations of CVE-2023-29357 remain unknown, a StarLabs security researcher, Nguyễn Tiến Giang, successfully demonstrated a 2-bug chain exploitation of it at a computer hacking contest, PWN2OWN held in March 2023.
The contest exploit had combined two vulnerabilities to achieve pre-auth remote code execution (RCE) on the SharePoint server. While the first vulnerability (CVE-2023-29357) allowed bypassing authentication on SharePoint OAuth authentication by taking advantage of a flawed signature validation algorithm for JWT tokens, a second code injection vulnerability (CVE-2023-24955) allowed inserting arbitrary code with already obtained SharePoint owner permissions.