Aperçu
Microsoft SharePoint contains a remote code execution vulnerability caused by failure to properly validate the source markup of application packages. An attacker can exploit this by sending a malicious application package to execute arbitrary code on affected SharePoint servers. This vulnerability has been actively exploited in the wild and is included in the CISA Known Exploited Vulnerabilities catalog. La vulnérabilité a été divulguée le March 5, 2019. CISA a identifié CVE-2019-0604 comme étant exploitée et est connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
Microsoft SharePoint fails to properly validate and sanitize the markup contained within application packages (*.app files) before execution. When a SharePoint administrator or authorized user installs an application package, the platform does not adequately check the source markup for malicious code. An attacker can craft a malicious application package containing arbitrary PowerShell code or other executable content that will be executed with the privileges of the SharePoint application pool identity when the package is deployed.
La vulnérabilité est classifiée comme CWE-434 (Unrestricted Upload of File with Dangerous Type) , CWE-426 (Untrusted Search Path) etCWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 8.8 (HIGH) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, indiquant sa nature high.
Impact
Successful exploitation allows an attacker to execute arbitrary code with the privileges of the SharePoint application pool identity (typically NETWORK SERVICE or a custom service account with elevated permissions). This can lead to: complete compromise of the SharePoint server, unauthorized access to sensitive SharePoint content and databases, lateral movement within the network, installation of persistent backdoors, and potential compromise of entire organizations. The attacker can read, modify, or delete sensitive data, including documents, lists, and user information stored in SharePoint. Given that SharePoint often serves as a central repository for organizational data, this vulnerability poses a critical risk to enterprise environments.
Mitigation et contournements
Install the February 2019 Cumulative Update (CU) or later for your version of SharePoint Server. For SharePoint 2010: Apply KB4462221. For SharePoint 2013: Apply KB4462220. For SharePoint 2016: Apply KB4462219. For SharePoint 2019: Apply KB4462218. After applying patches, run SharePoint Products Configuration Wizard or use PowerShell to complete the patch installation. Les versions suivantes incluent les correctifs nécessaires : SharePoint Server 2010: KB4462221 or later cumulative update, SharePoint Server 2013: KB4462220 or later cumulative update, SharePoint Server 2016: KB4462219 or later cumulative update, SharePoint Server 2019: KB4462218 or later cumulative update, SharePoint Online: Patched server-side by Microsoft (no client action required).
Comme contournements temporaires : disable the sharepoint app catalog or restrict permissions to install applications. in central administration, restrict 'manage app licenses' and application installation permissions to only trusted administrators.; implement network segmentation and access controls to restrict who can access sharepoint administration interfaces. limit network access to sharepoint servers from untrusted sources.; monitor sharepoint audit logs and application installation events for suspicious activity. look for unusual app deployments or installations from unexpected sources., et enforce the principle of least privilege for sharepoint service accounts. ensure the sharepoint application pool identity runs with minimal necessary permissions..
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
