Cybercrime , Cyberwarfare / Nation-State Attacks , Endpoint Security

'Active Threat' Warning: Patch Serious SharePoint Flaw Now

SharePoint Remains Top Hacker Target, UK's National Cyber Security Center Warns
'Active Threat' Warning: Patch Serious SharePoint Flaw Now

Security experts are urging organizations to patch a newly revealed serious flaw in Microsoft SharePoint as quickly as possible. They warn that proof-of-concept exploit code is already available, and attackers are likely to quickly tap it.

See Also: Check Kiting In The Digital Age

The flaw in the SharePoint web-based collaboration platform has been rated "critical" by Microsoft because it can be remotely exploited by attackers to execute arbitrary code.

"Successful exploitation of this vulnerability would allow an attacker to run arbitrary code and carry out security actions in the context of the local administrator on affected installations of SharePoint server," the U.K.'s National Cyber Security Center, the public-facing arm of intelligence agency GCHQ, warns in a Friday security alert.

SharePoint Update Fixes Flaw

On Tuesday, Microsoft released a fix for the flaw - designated CVE-2020-16952 - in the form of a security update for affected versions of SharePoint as part of its regularly scheduled, monthly release of software updates and security fixes.

"Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint," Microsoft says in a security alert. "The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages."

The flaw is present in three versions of SharePoint:

  • Microsoft SharePoint Foundation 2013 Service Pack 1;
  • Microsoft SharePoint Enterprise Server 2016;
  • Microsoft SharePoint Server 2019.

"SharePoint Online as part of Office 365 is not affected," NCSC says.

Proof-of-Concept Exploit Code Published

The flaw was discovered and reported to Microsoft by veteran security researcher Steven Seeley, who runs security firm Source Incite. On Tuesday, he published proof-of-concept exploit code for the flaw on GitHub.

"This PoC can be detected by identifying HTTP headers containing the string runat='server' - as well as auditing SharePoint page creations," NCSC says.

"The bug is exploitable by an authenticated user with page creation privileges, which is a standard permission in SharePoint, and allows the leaking of an arbitrary file, notably the application’s web.config file, which can be used to trigger remote code execution (RCE) via .NET deserialization," according to an analysis of the flaw published by security firm Rapid7.

The open source penetration testing toolkit Metasploit, managed by Rapid7, was updated on Wednesday with an exploit for the flaw.

"This one is an active threat," Caitlin Condon, Metasploit's research and development manager, says of CVE-2020-16952. "Like other significant vulnerabilities from this year, the fact that this is authenticated isn’t a barrier for attackers, and alas, shouldn’t be a consolation for those tasked with securing SharePoint environments."

The risk posed by the flaw to shared environments is also high. "Since an exploit has been released, Rapid7 researchers recommend applying Microsoft’s patch immediately," the security firm says in its analysis of the flaw. "CVE-2020-16952 poses higher risk for multitenant environments - i.e., multiple organizations using the same SharePoint and/or Active Directory environment."

Prevalence of Flaw

How prevalent are vulnerable SharePoint installations?

Scans run by Rapid7's in-house internet scanning project, Project Sonar, have found numerous internet-connected SharePoint servers that lack critical patches.

Of the 300 SharePoint 2019 instances counted by Project Sonar, for example, while "most had been updated in the last year," unfortunately, "many are missing updates for critical vulnerabilities," tweets Tom Sellers, principal security researcher at Rapid7 Labs.

Meanwhile, of the 1,800 SharePoint 2016 servers counted, "most of them missing patches for critical vulnerabilities," and one-third "aren't even running a supported version of code."

Project Sonar turned up numerous unpatched SharePoint servers, including almost 900 SharePoint 2007 servers, none running a supported version of Windows. Microsoft declared SharePoint 2007 "end of life" in 2017, at which point software had not received any security updates for seven years.

Top Hacker Target: SharePoint Flaws

Another imperative for rapidly patching this flaw is that crime gangs and nation-state attackers alike continue to scan for these types of vulnerabilities, according to Chris Yule, director of the threat research capability at cybersecurity firm Secureworks.

Their driver is simple: Both types of attackers will typically use the minimum necessary effort and technical sophistication required to hack a target.

"Almost every incident, whether it's post-intrusion ransomware or something else, will start with a software vulnerability," Yule said in a presentation earlier this month at the ScotSoft conference in Edinburgh, Scotland, which was held virtually.

Yule highlighted four vulnerabilities as being among most targeted over the past year:

NCSC's Friday alert also singles out the SharePoint flaw. "The NCSC always recommends applying security updates promptly to mitigate the exploitation of all vulnerabilities but in this case, the NCSC has previously seen a large number of exploitations of SharePoint vulnerabilities, such as CVE-2019-0604, against U.K. organizations," it says.

In addition, it notes that "two SharePoint CVEs also appear in the CISA Top 10 Routinely Exploited Vulnerabilities."

That's a reference to a list published by the U.S. Cybersecurity and Infrastructure Security Agency and FBI in May, which they say is designed to help all organizations "place an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors" (see: Patch or Perish: Nation-State Hacker Edition). Typically, "sophisticated nation-state hackers" refers to attackers aligned with, or directly working for, the governments of China, Iran, North Korea and Russia.

Reminder: Audit Networks

Rapid7's Sellers says the latest newly disclosed SharePoint flaw serves as a reminder to organizations to continually audit their environments, rapidly patch systems, keep software and servers updated and always running supported versions, as well as forcibly retire outdated or unsecure systems.

"Get it off the 'net if you don't need it there," Sellers says.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.