Security experts claim ransomware criminals have got their hands on a functional exploit for a nearly year-old critical Microsoft SharePoint vulnerability that was this week added to the US's must-patch list.
When vulnerabilities are added to CISA's known exploited vulnerabilities list, it means two things: Federal civilian executive branch agencies have three weeks to patch them, and they're being actively exploited by cybercrims.
Back in March 2023, during Vancouver's Pwn2Own contest, he chained it with another bug to achieve unauthenticated RCE on a SharePoint server.
CVE-2023-29357 is a critical elevation of privileges vulnerability that carries a 9.8 severity score.
Microsoft originally addressed this in June 2023's Patch Tuesday, and Jang published a detailed rundown of how the exploit chain was developed a few months later in September.
Proof of concept code for CVE-2023-29357 was published to GitHub the following day, but wasn't constructed in a way that revealed how to chain it with CVE-2023-24955, or any other RCE bug, to achieve the pre-auth RCE exploit that earned Jang his $100,000 prize at Pwn2Own.
Researchers warned in September that the publication of the PoC code provided a foundation from which cybercriminals could build a working exploit, and it was highly important to patch both vulnerabilities as soon as possible.
The addition to CISA's KEV catalog means it has taken cybercriminals months to start exploiting the vulnerability, despite having the bare-bones tools to do so.
New year, new updates for security holes in Windows, Adobe, Android and more And that's a wrap for Babuk Tortilla ransomware as free decryptor released Apache OFBiz zero-day pummeled by exploit attempts after disclosure Google password resets not enough to stop these info-stealing malware strains.
When PoC code is published for any given vulnerability, attacks typically soar in the days after as baddies race to develop working exploits before organizations can plug the holes.
Microsoft addressed CVE-2023-29357 in June and CVE-2023-24955 in May 2023, but IT admins have been reminded that simply applying the June 2023 Patch Tuesday updates won't automatically protect their organizations.
Manual, SharePoint-specific patches are required to ensure the fixes are applied properly as patches won't be installed by Windows Update.
It also hasn't been updated since June to reflect the active exploitation.
According to an advisory from NHS Digital, there is currently no known PoC code for the RCE vulnerability circulating online so those exploiting it will have developed it themselves and kept it a secret, for now.
This Cyber News was published on go.theregister.com. Publication date: Fri, 12 Jan 2024 20:13:03 +0000