CVE-2023-29357: Microsoft SharePoint Server Elevation of Privilege Vulnerability

Overview

Severity

Critical (CVSS 9.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

More Likely

Patch Tuesday

2023-Jun

Released

2023-06-13

Last Updated

2023-06-19

EPSS Score

94.36% (percentile: 100.0%)

CISA KEV

Listed — due 2024-01-31

FAQ

According to the CVSS metric, the attack vector is network (AV:N), privilege required is none (PR:N), and user interaction is none (UI:N). What is the target used in the context of the elevation of privilege? An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user. The attacker needs no privileges nor does the user need to perform any action. What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain administrator privileges. I am running SharePoint Server 2019 and there are multiple updates available. Do I need to install all the updates listed in the Security Updates table for these versions? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order.

Known Exploits (3)

• Microsoft SharePoint Server Privilege Escalation Vulnerability — added 2024-01-01T21:08:22Z
• Microsoft SharePoint Server Privilege Escalation Vulnerability — added 2023-09-30T23:17:04Z
• Microsoft SharePoint Server Privilege Escalation Vulnerability — added 2023-09-26T16:18:41Z

Detection & Weaponization (4 sources)

Maturity: Detection

• Metasploit modules: Sharepoint Dynamic Proxy Generator Unauth RCE
• Nuclei templates: Microsoft SharePoint - Authentication Bypass
• YARA rules: expl_sharepoint_cve_2023_29357.yar, SIGNATURE_BASE_LOG_EXPL_Sharepoint_CVE_2023_29357_Sep23_1, SIGNATURE_BASE_HKTL_EXPL_POC_PY_Sharepoint_CVE_2023_29357_Sep23_1, SIGNATURE_BASE_HKTL_EXPL_POC_NET_Sharepoint_CVE_2023_29357_Sep23_1
• GitHub PoC: 7 repositories

Affected Products (1)

Microsoft Office

• Microsoft SharePoint Server 2019

Security Updates (2)

• 5002402
• 5002403

Acknowledgments

<a href="https://twitter.com/testanull">Jang (Nguyễn Tiến Giang)</a> of StarLabs SG working with <a href="https://www.zerodayinitiative.com/">Trend Micro Zero Day Initiative</a>

Revision History

• 2023-06-13: Information published.
• 2023-06-19: Updated FAQ information. This is an informational change only.