In late March 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued the alert regarding the exploitation of a flaw in Microsoft SharePoint. It was detected back in September 2023, but the facts of active exploitation surfaced only recently. Fortunately, Microsoft offers updates that fix the flaw.
Remote code execution vulnerability
A vulnerability designated with the identifier CVE-2023-24955 (CVSS: 7,2) has been discovered in the popular Microsoft SharePoint product. It includes SharePoint Enterprise Server 2013, SharePoint Server 2016 and SharePoint Server 2019. The vulnerability allows attackers to exploit the code injection vulnerability. This involves replacing a specific file (/BusinessDataMetadataCatalog/BDCMetadata.bdcm) on the server, which leads to the injected code being compiled into an assembly that SharePoint then executes. This action effectively grants the attacker the ability to execute arbitrary code on the server.
The vulnerability was originally identified by a group of security researchers who then reported their findings to Microsoft. The specifics of the vulnerability is that it exploits a flaw in the mechanism for handling specially crafted web requests. This means that for a successful attack, an attacker only needs to send a specially crafted request to a SharePoint server. Moreover, it does not require the attacker to have credentials or prior access to the victim’s network.
Remote code execution flaws are traditionally considered the most severe ones. They effectively allow attackers to execute the code they need in several systems across the environment. Such flaws can serve as both entry points and the instrument for lateral movement. And considering the popularity of Microsoft solutions, it is expected for this vulnerability to be used along with other ones within the Microsoft ecosystem.
Official Microsoft Patches and Updates
Interestingly enough, the vulnerability was fixed before it was uncovered by the researchers. The fix appeared within the course of Patch Tuesday in May 2023. Despite that, after the public disclosure, the company published security advisories and provided updates for all supported versions of the product, urging users to immediately apply patches to protect their systems. Official patches are available through Microsoft’s standard update channels and on the official support site. Though, this should have been done way earlier, considering the high CVSS score of the flaw.
At the same time, other vulnerabilities are rarely patched before the public disclosure. Protecting against them requires strong security solutions, particularly ones that can detect potential exploitation. EDR/XDR and the programs of this grade will not only protect against vulnerability exploitation, but also give you the ability to orchestrate the response to minimize the damage.
