Microsoft SharePoint Server - Remote Code Execution Vulnerability (CVE-2024-38228)

Vulnerability Summary

A critical security vulnerability has been reported in Microsoft SharePoint Server. The vulnerability is described as a remote code execution. Microsoft has not shared specific technical details at the time of writing (2024-11-09).

Impact If Exploited

An authenticated attacker with Site Owner permissions or higher could upload a specially crafted file to the targeted SharePoint Server and craft specialized API requests to trigger deserialization of file's parameters. This would enable the attacker to perform remote code execution in the context of the SharePoint Server.

Official Fix & Remediation Guidance

This vulnerability was fixed by Microsoft during their September 2024 'Patch Tuesday' update, which addressed a significant number of security vulnerabilities, including four zero-day exploits and 79 vulnerabilities across various products. Due to ongoing active exploitation, prioritisation should be given to remediation of this vulnerability in any impacted environment.

You can help protect your system by installing the latest update from Microsoft. Customers are advised to upgrade to the latest version of Microsoft Windows via one of the following methods. After you install this update, you may have to restart your system:

• This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see Windows Update: FAQ.

• To get the standalone package for this update, go to the Microsoft Update Catalog website.

• You can get the standalone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

Temporary Mitigation & Workarounds

(The vendor has not advised of any alternative temporary mitigation or workarounds)

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.

Vendor Advisories

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38228

Third-Party Analysis & Threat Intelligence

• TBC

PoC and Exploit Code

• TBC