SharePoint SSI Directives Vulnerability

A remote code execution in Microsoft's SharePoint collaboration tool has been disclosed. The NCSC are also warning that this vulnerability may be actively exploited in the near future.

Threat ID:: CC-3642
Threat Severity:: Medium
Published:: 21 October 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

A remote code execution in Microsoft's SharePoint collaboration tool has been disclosed. The NCSC are also warning that this vulnerability may be actively exploited in the near future.

Affected platforms

The following platforms are known to be affected:

Versions: Server 2019, Enterprise Server 2016, Foundation 2013 SP1

Microsoft SharePoint Server

Threat details

Introduction

Microsoft has released details of a server-side includes (SSI) vulnerability affecting several versions of their SharePoint online sharing and collaboration platform. They claim that a remote authenticated attacker could exploit this vulnerability to arbitrary code in the context of the local SharePoint administrator.

Proof-of-concepts available

Please note that several proof-of-concept exploits for CVE-2020-16952 are available on public code repositories.

Vulnerability details

The vulnerability appears to be the result of a failure in vulnerable SharePoint versions to properly check SSI directives included in the source markup of application packages. By specially crafting application packages with misinformed SSI directives, a user with page creation privileges (enabled by default in SharePoint) can force the vulnerable system to execute code contained within the package.

Remediation advice

Affected organisations are encouraged to review Microsoft security update guide CVE-2020-16952 and apply the relevant updates immediately.

Remediation steps

Type	Step
Patch	CVE-2020-16952 \| Microsoft SharePoint Remote Code Execution Vulnerability https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952

NCSC link

https://www.ncsc.gov.uk/news/sharepoint-vulnerability-uk-organisations

CVE Vulnerabilities

Status Master

CVE-2020-16952

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-16951.

Last edited: 21 October 2020 2:11 pm