Summary:
A high-severity vulnerability (CVE-2024-38094) impacting Microsoft SharePoint has been identified following the release of a public PoC and subsequently added to CISA's Known Exploited Vulnerabilities (KEV) catalog. This deserialization vulnerability allows an authenticated attacker with Site Owner permissions to inject and execute arbitrary code on the SharePoint server. The urgency to deploy these patches is heightened by the public availability of proof-of-concept (PoC) exploits. These exploits can automate authentication, create specific folders and files, and ultimately trigger the vulnerability through a crafted XML payload delivered via the SharePoint client API. Microsoft released patches for this vulnerability as part of its July 2024 Patch Tuesday updates. While there are no current reports of how CVE-2024-38094 is exploited in the wild, Federal Civilian Executive Branch (FCEB) agencies are mandated to implement the fixes by November 12th, 2024 to mitigate potential risks.

Security Officer Comments:
Being a SharePoint exploit, CVE-2024-38094 is classified as a high-severity vulnerability due to its exploitability and potential for post-exploitation RCE activity. The existence of PoC exploits and the vulnerability's addition to the KEV catalog suggest imminent exploitation attempts on Microsoft SharePoint instances. Organizations, particularly those in the Federal Civilian Executive Branch (FCEB) with a November 12th, 2024 deadline, should prioritize deploying the available patches as soon as possible. Additionally, security teams should heighten monitoring for suspicious activity that might indicate attempts to utilize this vulnerability.

This incident coincides with CISA's recent proposal outlining stricter vulnerability remediation timelines for critical infrastructure. Organizations should prioritize good patch management, utilizing CISA's KEV catalog to stay informed about vulnerabilities like CVE-2024-38094 and review their vulnerability management processes to ensure they can meet these new timeframes

Suggested Corrections:
An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server. Organizations should remain vigilant of any unusual activity from authenticated accounts, adhere to the Principle of Least Privilege, and stay informed of any stolen or leaked employee SharePoint credentials by implementing a resilient security awareness community within the organization, especially regarding defense against phishing attempts.

The increase in remote work has increased reliance on email as a vital communication mechanism. These conditions thereby also increase the risk of personnel being targeted by phishing or spam attacks, and thus other malware infections. Employees will benefit from the following recommendations:

• Do not open emails or download software from untrusted sources
• Do not click on links or attachments in emails that come from unknown senders
• Do not supply passwords, personal information, or financial information via email to anyone (sensitive information is also used for double extortion)
• Always verify the email sender's email address, name, and domain
• Protect devices, especially mobile devices, using antivirus, anti-spam, and anti-spyware software
• Report phishing emails to the appropriate security or I.T. staff immediately

Link(s):
https://thehackernews.com/2024/10/cisa-warns-of-active-exploitation-of.html

https://socradar.io/july-2024-patch-tuesday-fixes-139-cves-actively-exploited-zero-days-cisa-highlights-citrix-updates/