The National Cyber Security Centre has ‘strongly advised’ organisations to immediately patch certain versions of Microsoft SharePoint, a vulnerability in which allows cyber criminals to execute code in the context of the local Administrator.
The vulnerability, assigned CVE-2020-16952, has been discovered in SharePoint Foundation 2013 Service Pack 1, SharePoint Enterprise Server 2016, and SharePoint Server 2019. However, SharePoint Online, which is part of Microsoft’s Office 365 package, does not contain this vulnerability.
According to Steven Seeley, a member of the Qihoo 360 Vulcan Team who discovered the vulnerability and disclosed it to Microsoft in July this year, the vulnerability arises due to “the lack of proper validation of user-supplied data which can result in a server-side include”. This can be exploited by an attacker to execute arbitrary code on affected installations of SharePoint Server in the context of the local Administrator.
Seeley added that authentication is required to exploit this vulnerability and the specific flaw exists within the DataFormWebPart class. According to Microsoft, who released a security update a few days ago, an attacker can exploit the vulnerability by uploading a specially crafted SharePoint application package to an affected version of SharePoint.
“A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.
“The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages,” Microsoft said. Respective security updates for SharePoint Foundation 2013 Service Pack 1, SharePoint Enterprise Server 2016, and SharePoint Server 2019 can be downloaded here.
According to the National Cyber Security Centre, vulnerabilities in Microsoft SharePoint have been exploited on a large scale in the past to target UK organisations, including two SharePoint CVEs that feature in the CISA Top 10 Routinely Exploited Vulnerabilities.
In May last year, Microsoft issued a patch for a critical vulnerability in Microsoft SharePoint that allowed attackers to run arbitrary code by uploading a specifically crafted SharePoint application package. “Successful exploitation of this vulnerability could allow an attacker to gain access to sensitive data, enable lateral movement within a network and potentially use the access to target an organisation’s customers and suppliers,” NCSC warned.