Active Threat Warning Issued About SharePoint RCE Vulnerability

The UK National Cyber Security Centre (NCSC) has recently issued a security alert advising organizations to patch a serious remote code execution vulnerability in Microsoft SharePoint. The DHS Cybersecurity and infrastructure Security Agency is also urging organizations to patch the flaw promptly to prevent exploitation.

The vulnerability, tracked as CVE-2020-16952, is due to the failure of SharePoint to check the source markup of an application package. If exploited, an attacker could run arbitrary code in the context of the SharePoint application pool and SharePoint server farm account, potentially with administrator privileges.

To exploit the vulnerability an attacker would need to convince a user to upload a specially crafted SharePoint application package to a vulnerable version of SharePoint. This could be achieved in a phishing campaign using social engineering techniques.

The vulnerability has been assigned a CVSS v3 base score of 8.6 out of 10 and affects the following SharePoint releases:

  • Microsoft SharePoint Foundation 2013 Service Pack 1
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server 2019

SharePoint Online is not affected by the vulnerability.

SharePoint vulnerabilities are attractive to hackers as SharePoint is commonly used by enterprise organizations. Previous SharePoint vulnerabilities have been extensively exploited, two of which were listed in CISA’s list of the top 10 most exploited vulnerabilities between 2016 and 2019.

Microsoft issued an out-of-band patch to correct the flaw this week. The patch needs to be applied to correct the vulnerability as there are no mitigations to prevent exploitation of the flaw. The patch changes the way SharePoint checks the source markup of application packages.

A proof of concept exploit for the vulnerability has been publicly released on GitHub by security researcher Steven Seeley, who discovered the flaw and reported it to Microsoft. The PoC could easily be weaponized so there is a high risk of exploits being developed and used in attacks on organizations. At the time of the release of the patch, Microsoft was unaware of any cases of exploitation of the flaw in the wild.

According to NCSC, “This PoC can be detected by identifying HTTP headers containing the string runat=’server’ – as well as auditing SharePoint page creations.”

Rapid7 researchers have warned that the vulnerability has a very high value to hackers due to the ease at which the vulnerability can be exploited to gain privileged access.

“The bug is exploitable by an authenticated user with page creation privileges, which is a standard permission in SharePoint, and allows the leaking of an arbitrary file, notably the application’s web.config file, which can be used to trigger remote code execution (RCE) via .NET deserialization,” explained Rapid7.  The patch should be applied as soon as possible to prevent exploitation.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.