Microsoft SharePoint Server Elevation of Privilege via CVE-2023-29357
Exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357, involving specific API calls and HTTP methods, can lead to privilege escalation and unauthorized access to sensitive data within the SharePoint environment.
This brief addresses potential exploitation attempts targeting CVE-2023-29357, a Microsoft SharePoint Server elevation of privilege vulnerability. Successful exploitation could allow attackers to gain unauthorized privileged access to the SharePoint environment. The vulnerability is triggered by crafting specific API calls. The provided detection logic monitors web server logs for requests to specific SharePoint API endpoints associated with user management and current user information, specifically targeting GET requests with a 200 status code to the /api/web/siteusers and /api/web/currentuser paths. Exploitation could lead to unauthorized access to sensitive data, data theft, and further compromise of the SharePoint server, resulting in a broader security breach.
Attack Chain
- The attacker identifies a vulnerable SharePoint server exposed to the internet or an internal network.
- The attacker crafts a malicious HTTP GET request targeting the
/api/web/siteusersendpoint, aiming to retrieve a list of site users. - The attacker sends the crafted HTTP GET request to the vulnerable SharePoint server.
- The SharePoint server processes the request without proper authorization checks due to the vulnerability.
- The server responds with a 200 OK status code, potentially returning sensitive information about site users, or granting elevated privileges.
- The attacker analyzes the response data, identifying privileged accounts or gaining insights into the SharePoint user structure.
- The attacker leverages the gained privileges to access sensitive data, modify SharePoint configurations, or further compromise the system.
Impact
Successful exploitation of CVE-2023-29357 can lead to a complete compromise of the SharePoint server. Attackers can gain unauthorized access to confidential documents, manipulate critical business data, and potentially use the compromised server as a pivot point for further attacks within the organization's network. The impact includes data breaches, financial losses, reputational damage, and disruption of business operations.
Recommendation
- Deploy the provided Sigma rule to detect exploitation attempts against CVE-2023-29357 by monitoring for specific API calls (e.g.,
*/_api/web/siteusers*,*/_api/web/currentuser*) in web server logs. - Review and patch Microsoft SharePoint Servers to the latest version to remediate CVE-2023-29357, as referenced in the references section.
- Implement network segmentation to limit the blast radius of a potential SharePoint compromise, as this helps contain lateral movement.
Detection coverage 2
SharePoint CVE-2023-29357 Exploitation Attempt
highDetects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357 based on specific API calls.
SharePoint CVE-2023-29357 User Agent Filter
mediumDetects potential exploitation attempts against Microsoft SharePoint Server vulnerability CVE-2023-29357 based on user agent strings seen used in exploits.
Detection queries are available on the platform. Get full rules →