'Active Threat' Warning: Patch Serious SharePoint Flaw NowSharePoint Remains Top Hacker Target, UK's National Cyber Security Center Warns
Security experts are urging organizations to patch a newly revealed serious flaw in Microsoft SharePoint as quickly as possible. They warn that proof-of-concept exploit code is already available, and attackers are likely to quickly tap it.
The flaw in the SharePoint web-based collaboration platform has been rated "critical" by Microsoft because it can be remotely exploited by attackers to execute arbitrary code.
"Successful exploitation of this vulnerability would allow an attacker to run arbitrary code and carry out security actions in the context of the local administrator on affected installations of SharePoint server," the U.K.'s National Cyber Security Center, the public-facing arm of intelligence agency GCHQ, warns in a Friday security alert.
SharePoint Update Fixes Flaw
On Tuesday, Microsoft released a fix for the flaw - designated CVE-2020-16952 - in the form of a security update for affected versions of SharePoint as part of its regularly scheduled, monthly release of software updates and security fixes.
"Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint," Microsoft says in a security alert. "The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages."
The flaw is present in three versions of SharePoint:
- Microsoft SharePoint Foundation 2013 Service Pack 1;
- Microsoft SharePoint Enterprise Server 2016;
- Microsoft SharePoint Server 2019.
"SharePoint Online as part of Office 365 is not affected," NCSC says.
Proof-of-Concept Exploit Code Published
The flaw was discovered and reported to Microsoft by veteran security researcher Steven Seeley, who runs security firm Source Incite. On Tuesday, he published proof-of-concept exploit code for the flaw on GitHub.
Microsoft SharePoint Server DataFormWebPart CreateChildControls Server-Side Include Remote Code Execution Vulnerability— ϻг_ϻε (@steventseeley) October 13, 2020
Technical analysis + PoC exploit: https://t.co/sKCiTY1Ver
"This PoC can be detected by identifying HTTP headers containing the string runat='server' - as well as auditing SharePoint page creations," NCSC says.
"The bug is exploitable by an authenticated user with page creation privileges, which is a standard permission in SharePoint, and allows the leaking of an arbitrary file, notably the application’s web.config file, which can be used to trigger remote code execution (RCE) via .NET deserialization," according to an analysis of the flaw published by security firm Rapid7.
The open source penetration testing toolkit Metasploit, managed by Rapid7, was updated on Wednesday with an exploit for the flaw.
"This one is an active threat," Caitlin Condon, Metasploit's research and development manager, says of CVE-2020-16952. "Like other significant vulnerabilities from this year, the fact that this is authenticated isn’t a barrier for attackers, and alas, shouldn’t be a consolation for those tasked with securing SharePoint environments."
The risk posed by the flaw to shared environments is also high. "Since an exploit has been released, Rapid7 researchers recommend applying Microsoft’s patch immediately," the security firm says in its analysis of the flaw. "CVE-2020-16952 poses higher risk for multitenant environments - i.e., multiple organizations using the same SharePoint and/or Active Directory environment."
Prevalence of Flaw
How prevalent are vulnerable SharePoint installations?
Scans run by Rapid7's in-house internet scanning project, Project Sonar, have found numerous internet-connected SharePoint servers that lack critical patches.
Of the 300 SharePoint 2019 instances counted by Project Sonar, for example, while "most had been updated in the last year," unfortunately, "many are missing updates for critical vulnerabilities," tweets Tom Sellers, principal security researcher at Rapid7 Labs.
Meanwhile, of the 1,800 SharePoint 2016 servers counted, "most of them missing patches for critical vulnerabilities," and one-third "aren't even running a supported version of code."
We saw ~6,400 SharePoint 2013 servers. What is notable here is that SP1 broke patching and had to be revoked. It definitely shows in the data. If you run one please(!) make sure it's up to date.https://t.co/we2RMJwMmX pic.twitter.com/yFS83Zzmw2— Tom Sellers (@TomSellers) October 15, 2020
Project Sonar turned up numerous unpatched SharePoint servers, including almost 900 SharePoint 2007 servers, none running a supported version of Windows. Microsoft declared SharePoint 2007 "end of life" in 2017, at which point software had not received any security updates for seven years.
Top Hacker Target: SharePoint Flaws
Another imperative for rapidly patching this flaw is that crime gangs and nation-state attackers alike continue to scan for these types of vulnerabilities, according to Chris Yule, director of the threat research capability at cybersecurity firm Secureworks.
Their driver is simple: Both types of attackers will typically use the minimum necessary effort and technical sophistication required to hack a target.
"Almost every incident, whether it's post-intrusion ransomware or something else, will start with a software vulnerability," Yule said in a presentation earlier this month at the ScotSoft conference in Edinburgh, Scotland, which was held virtually.
Yule highlighted four vulnerabilities as being among most targeted over the past year:
- CVE-2020-0688: A Microsoft Exchange validation key remote-code execution flaw;
- CVE-2019-1978: A Citrix Nescaler ADC directory traversal flaw;
- CVE-2019-11510: A Pulse Connect Secure VPN flaw;
- CVE-2019-0604: A Microsoft SharePoint remote-code execution flaw.
NCSC's Friday alert also singles out the SharePoint flaw. "The NCSC always recommends applying security updates promptly to mitigate the exploitation of all vulnerabilities but in this case, the NCSC has previously seen a large number of exploitations of SharePoint vulnerabilities, such as CVE-2019-0604, against U.K. organizations," it says.
In addition, it notes that "two SharePoint CVEs also appear in the CISA Top 10 Routinely Exploited Vulnerabilities."
That's a reference to a list published by the U.S. Cybersecurity and Infrastructure Security Agency and FBI in May, which they say is designed to help all organizations "place an increased priority on patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors" (see: Patch or Perish: Nation-State Hacker Edition). Typically, "sophisticated nation-state hackers" refers to attackers aligned with, or directly working for, the governments of China, Iran, North Korea and Russia.
Reminder: Audit Networks
Rapid7's Sellers says the latest newly disclosed SharePoint flaw serves as a reminder to organizations to continually audit their environments, rapidly patch systems, keep software and servers updated and always running supported versions, as well as forcibly retire outdated or unsecure systems.
If the data is any indication CVE-2020-16952 is going to be with us for a long time.— Tom Sellers (@TomSellers) October 15, 2020
1. Audit your environments
2. Get it off the 'Net if you don't need it there
3. Patch your gear
4. Upgrade your gear to supported versions
5. If surprised, determine how it was missed
"Get it off the 'net if you don't need it there," Sellers says.