Government Spooks Urge Firms to Patch SharePoint Bug

Government experts are warning SharePoint customers to urgently patch a remote code execution (RCE) vulnerability fixed by Microsoft last week.

A National Cyber Security Centre (NCSC) alert on Friday claimed successful exploitation of CVE-2020-16952 could enable attackers to run arbitrary code and carry out security actions in the context of a local administrator, on affected installations.

“The NCSC always recommends applying security updates promptly to mitigate the exploitation of all vulnerabilities but in this case the NCSC has previously seen a large number of exploitations of SharePoint vulnerabilities, such as CVE-2019-0604, against UK organizations,” it continued.

“Two SharePoint CVEs also appear in the CISA Top 10 Routinely Exploited Vulnerabilities.”

The vulnerability itself affects Microsoft SharePoint Foundation 2013 Service Pack 1, SharePoint Enterprise Server 2016 and SharePoint Server 2019, but not SharePoint Online as part of Office 365.

It occurs because the software fails to check the source markup of an application package, according to Microsoft. Exploitation therefore requires a user to upload a specially crafted SharePoint application package to an affected version.

The NCSC’s warning comes despite Microsoft rating exploitation as “less likely.” The bug has a CVSS score of 8.6 on all affected versions for SharePoint.

However, although there are no reports of attackers leveraging this vulnerability at the moment, proof-of-concept code is already available.

Experts at Rapid7 also urged SharePoint administrators to prioritize patching.

“SharePoint is a high-value attack target and has seen a number of high-severity vulnerabilities patched in recent months,” the security vendor said. “It is likely that active exploitation will occur within a relatively short time frame; it was trivial for Rapid7 researchers to validate the vulnerability’s exploitability and weaponize [the] PoC.”

As well as this vulnerability, SharePoint accounted for just under a third of the 23 critical flaws patched by Microsoft in September.

What’s Hot on Infosecurity Magazine?