Hello and welcome to the Wednesday, November 29, 2023 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Today I wrote up a quick diary about an exploit that be sort of sea gaining steam for Microsoft SharePoint vulnerability.

CVE 2020, 29357.

This is a vulnerability that Microsoft originally patched in June.

An exploit for it was released late September.

And we have seen a little trickle like one or two here and there of exploit attempts for this particular vulnerability.

But yesterday it really sort of started picking up and these attacks came from one particular IP address, 212, 113, 106, 100.

The vulnerability itself is really sort of exploited in concert with the second vulnerability, CVE 202023-24955.

Now, we didn't see an exploit for the second vulnerability that would be sort of a follow-up

if the first exploit succeeds in our honeypots. We're not emulating SharePoint close enough

to actually make the second vulnerability then show up. The problem here is that the first vulnerability is labeled

a privilege escalation vulnerability, but it's really more an authentication

bypass vulnerability.

It acts as a particular API that lists all site users.

That's the name sort of of the API, which includes administrators.

And then an attacker can use that information to actually impersonate one of those users.

The second vulnerability is then your remote code execution vulnerability that uses the

credentials or the privileges being acquired using the first

vulnerability. Now, when it comes to the IP address, the attacks came from, that's also kind of

interesting in that that particular web server that was running at that IP address was compromised

and had a defacement page from

...