The UK National Cyber Security Centre (NCSC) just recently issued a security warning urging companies to patch a critical remote code execution vulnerability present in Microsoft SharePoint. There is also an advisory from the DHS Cybersecurity and infrastructure Security Agency that companies should implement the patch right away to avert exploitation.
Vulnerability CVE-2020-16952 is brought on by the failure of SharePoint to check the source markup of an application package. An attacker can exploit this and have administrator privileges to implement an arbitrary code in the SharePoint application pool framework and the SharePoint server farm account.
When an attacker launches a phishing campaign using social engineering techniques and is able to convince an end-user to upload a specially designed SharePoint application package to a vulnerable version of SharePoint, he or she could manipulate the vulnerability.
Vulnerability CVE-2020-16952 has an assigned CVSS v3 base rating of 8.6 out of 10. The following SharePoint products are affected by the vulnerability:
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Foundation 2013 Service Pack 1
SharePoint Online was not affected by the vulnerability.
Hackers like to exploit SharePoint vulnerabilities mainly because SharePoint is commonly used by businesses. Two of the exploited SharePoint vulnerabilities in the past were included in the top 10 most exploited vulnerabilities from 2016 to 2019 listed by CISA.
This week, Microsoft made available an out-of-band patch to correct the SharePoint vulnerability. Organizations must use the patch to address the vulnerability since there is no mitigation that would work against the vulnerability. The patch changes the method used by SharePoint when inspecting the source markup of application packages.
Security researcher Steven Seeley had a proof of concept exploit released for the vulnerability on GitHub. Seeley is the one who reported the vulnerability to Microsoft after discovering it. It is very easy to weaponize the PoC therefore the probability of developing exploits and utilizing it in attacks is high. After the release of the patch, Microsoft did not get any report of vulnerability exploitation in the wild.
NCSC said that this PoC can be identified by checking for the string runat=’server’ in HTTP headers and going over SharePoint page creations.
Rapid7 researchers said that hackers consider this vulnerability as highly valuable because it is quite simple to exploit the vulnerability and gain privileged access. With page creation privileges, an authenticated user could exploit the vulnerability via SharePoint’s standard permission and can expose an arbitrary file, the application’s web.config file that can be employed to prompt remote code execution (RCE) via .NET deserialization. Hence, it is a must to use the patch immediately to avert exploitation.