Getty Images/iStockphoto

Proof-of-Concept Prompts Alert on SharePoint Remote Execution Flaw

DHS urges entities to heed an NSCS alert for a remote code execution flaw in Microsoft SharePoint, following the release of a proof-of-concept that would give a hacker control of a system.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency is urging organizations to review a UK National Cyber Security Centre (NCSC) alert for a remote code execution flaw found in Microsoft SharePoint. A proof-of-concept exploit has already been released, which would give an attacker control of affected systems. 

The CVE-2020-16952 RCE flaw exists in the Microsoft SharePoint server, as the software fails to check the source markup of an application package. If a hacker successfully exploits the vulnerability, they could run arbitrary code through the SharePoint application pool and its server farm account. 

“Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint,” Microsoft warned in its October 13 advisory

CISA warned that applying the patch provided by Microsoft could help to prevent a successful exploitation. Applying the patch is the only way to prevent an exploit, as Microsoft has not identified any workarounds or mitigating factors for the flaw. 

The NSCS warned that a successful exploit could also allow an attacker to carry out security actions in the context of a local administrator on affected SharePoint server installations. 

The urgent need to patch is driven by previous SharePoint vulnerabilities, which DHS CISA named as among the 10 most exploited vulnerabilities from 2016 to 2019. NSCS also detected a large number of exploitations of these SharePoint vulnerabilities against a host of organizations in the past. 

“The vulnerability is a caused by a validation issue in user-supplied data,” NSCS officials explained. “This vulnerability can be exploited when a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.” 

The flaw is found in Microsoft SharePoint Foundation 2013, Enterprise Server 2016, and Server 2019. SharePoint Online, as part of Office 365, is not affected. Applying the patch corrects how SharePoint checks the source markup for application packages. 

Administrators can review the proof-of-concept exploit, which can be detected through identifying HTTP headers that contain a specific string. Administrators can also detect the POC by auditing SharePoint page creations. 

Rapid7 researchers stressed that the attacker value of this flaw is “very high,” with a high exploitability rating. Not only is it common in enterprise organizations, the vulnerability is easy to weaponize and would provide an attacker with privileged access upon a successful exploit. 

The POC Python exploit targets the vulnerability to leak the web.config file, then extracts the ViewState validation key to create a malicious code that the application can deserialize. Rapid7 warned that an attacker could then leverage a .NET gadget chain to launch arbitrary commands as a SharePoint user. 

Once a proof-of-concept is made available, it makes a vulnerability an “impending threat.” 

“There were a lot of vulnerabilities out this week, and a number of which got quite a bit more news cycle attention than this one,” researchers explained. “Unlike a few of those higher-hype bugs, however, this one is an active threat.” 

“Like other significant vulnerabilities from this year, the fact that this is authenticated isn’t a barrier for attackers and alas, shouldn’t be a consolation for those tasked with securing SharePoint environments,” they added. 

The alert comes on the heels of another RCE vulnerability patch released by Microsoft last week. US Cyber Command warned organizations to immediately patch a critical flaw in Windows TCP/IP, known as “Bad Neighbor,” as it poses a Denial-of-Service risk, also known as a ‘Blue Screen of Death’ (BSoD). 

Given the number of organizations continuing to rely on legacy platforms and many providers struggling to promptly patch flaws, healthcare entities must apply these software updates as soon as possible. Recent data shows hackers are increasingly targeting known vulnerabilities to gain footholds into victims' networks, through a massive campaign scanning the internet in search of vulnerable endpoints.

Next Steps

Dig Deeper on Cybersecurity strategies