Executive Summary

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive adding two Microsoft SharePoint Server vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerabilities, CVE-2023-29357 and CVE-2023-24955, can be chained by an unauthenticated attacker to achieve remote code execution (RCE) with the privileges of the SharePoint server. Due to evidence of active exploitation, CISA has mandated that federal agencies patch these flaws. This warning serves as a critical alert for all public and private sector organizations running on-premise SharePoint servers to verify they are patched and secure.

Threat Overview

The attack combines two powerful vulnerabilities:

1. CVE-2023-29357 (CVSS 9.8 - Critical): An authentication bypass/privilege escalation vulnerability. It allows a remote, unauthenticated attacker to impersonate any user, including administrators, by sending a specially crafted API request containing a spoofed JSON Web Token (JWT).
2. CVE-2023-24955 (CVSS 7.2 - High): A command injection/remote code execution vulnerability. An authenticated attacker with Site Owner permissions can inject and execute arbitrary commands on the server.

By chaining these two, an attacker can first use CVE-2023-29357 to gain administrator privileges without needing credentials. Then, using those elevated privileges, they can exploit CVE-2023-24955 to execute code on the underlying server, achieving a full, unauthenticated RCE.

Technical Analysis

The attack chain is dangerously simple and effective:

1. Privilege Escalation: The attacker sends a malicious request to a SharePoint API endpoint, including a JWT with the "alg":"none" header. Due to the flaw, the server accepts this unsigned token, allowing the attacker to impersonate a site administrator.
2. Remote Code Execution: Now authenticated as an administrator, the attacker leverages the privileges to exploit the second vulnerability, CVE-2023-24955. This involves manipulating a SharePoint application page to execute arbitrary PowerShell commands in the context of the SharePoint server's service account.

MITRE ATT&CK TTPs:

• T1190 - Exploit Public-Facing Application: The initial attack vector targeting the internet-facing SharePoint server.
• T1068 - Exploitation for Privilege Escalation: Specifically using CVE-2023-29357 to bypass authentication.
• T1505.003 - Server Software Component: Web Shell: A common follow-on action where attackers upload a web shell for persistent access after gaining RCE.
• T1059.001 - Command and Scripting Interpreter: PowerShell: The likely method used to execute commands via CVE-2023-24955.

Impact Assessment

A successful exploit of this vulnerability chain leads to a complete compromise of the SharePoint server. The impact includes:

• Data Theft: Attackers can access, exfiltrate, or delete all data stored within the SharePoint environment, which often includes sensitive corporate documents, intellectual property, and PII.
• Network Pivot: The compromised SharePoint server can be used as a beachhead to launch further attacks into the internal corporate network.
• Ransomware Deployment: Threat actors can use their access to deploy ransomware, not just on the SharePoint server but potentially across the entire network.
• Persistence: Installation of web shells or other backdoors allows for long-term, stealthy access to the organization's network.

Detection & Response

• Check Patch Status: The highest priority is to verify that the June 2023 (or later) Security Updates for Microsoft SharePoint Server have been applied. Use vulnerability scanners to confirm.
• Review IIS Logs: Hunt for suspicious requests in the SharePoint server's IIS logs. Look for API calls that are unusual or requests containing JWTs with "alg":"none". Specifically, look for requests to endpoints like /_api/sp.identity.setauthenticated.
• Monitor Process Creation: Use an EDR to monitor for suspicious child processes spawned by the SharePoint application pool process (w3wp.exe), such as cmd.exe, powershell.exe, or other reconnaissance commands (whoami, ipconfig).
• D3FEND Techniques: Implement D3-NTA: Network Traffic Analysis to detect anomalous requests to SharePoint API endpoints. Use D3-WPA: Web Protocol Anomaly Detection to flag malformed JWTs or other protocol-level attacks.

Mitigation

1. Patch Immediately: Apply the security updates released by Microsoft in June 2023 or later. This is the only way to fix the root cause of the vulnerabilities.
2. Reduce Attack Surface: If possible, restrict access to your SharePoint server from the internet. If it must be internet-facing, place it behind a Web Application Firewall (WAF) with rules designed to inspect and block malicious SharePoint-related traffic.
3. Enable Logging: Ensure that detailed logging is enabled for both SharePoint (ULS logs) and IIS, and that these logs are being ingested into a SIEM for correlation and analysis.
4. Least Privilege for Service Accounts: Ensure the SharePoint service account runs with the minimum necessary privileges to function, which can help limit the impact of a successful RCE.

• D3FEND Countermeasures: The primary defense is D3-SU: Software Update. This should be complemented by D3-ITF: Inbound Traffic Filtering via a WAF.