It's Raining Shells! Recent CVEs in SharePoint, Splunk, and Confluence, Oh My! | Threat SnapShot
In this bonus Threat SnapShot, we wanted to highlight a few of the most relevant and impactful vulnerabilities from December and January.
First, we'll cover a privilege escalation vulnerability in Microsoft SharePoint (CVE-2023-29357), with a CVSS score of 9.8 and rated critical. A remote, unauthenticated attacker can send a spoofed JSON Web Token (JWT) authentication token to a vulnerable server giving them the privileges of an authenticated user on the target. According to Microsoft's advisory, no user interaction is required in order for an attacker to exploit this flaw. While the currently released PoC does not achieve RCE out of the box, it's likely that threat actors will be able to modify the exploit and weaponize it for malicious use.
Next, we'll dive into a Remote Code Execution (RCE) vulnerability through insecure XML parsing affecting Splunk Enterprise (CVE-2023-46214). The vulnerability stems from insufficient sanitization for user-supplied extensible stylesheet language transformations (XSLT). Splunk is widely used in many organizations; this vulnerability could be exploited by insider threats or adversaries lurking in an organization, or more broadly the thousands of publicly exposed Splunk instances.
Finally, we'll look at a template injection flaw affecting Atlassian Confluence (CVE-2023-22527). This critical vulnerability was given the maximum CVSS score of 10, because of the ability for attackers to achieve remote code execution in a low-complexity attack and without authentication. This harkens back to similar CVEs, like CVE-2022-26134 and CVE-2021-26084, that allow an attacker to inject OGNL to gain code execution.
As always, we'll also discuss detection and threat hunting strategies to keep your organization safe.
References:
- https://starlabs.sg/blog/2023/09-sharepoint-pre-auth-rce-chain/#vulnerability-2-code-injection-in-dynamicproxygeneratorgenerateproxyassembly
- https://github.com/Chocapikk/CVE-2023-29357
- https://blog.hrncirik.net/cve-2023-46214-analysis
- https://thehackernews.com/2024/01/citrix-vmware-and-atlassian-hit-with.html
SnapAttack Resource:
- https://app.snapattack.com/collection/a588a6ff-e3ec-455d-a2e3-c8ea864f0dc1 - Collection: Microsoft SharePoint Server Privilege Escalation Vulnerability (CVE-2023-29357) | Threat SnapShot
- https://app.snapattack.com/threat/313fea61-0b06-a207-66c2-db56f7bd5349 - Threat: CVE-2023-29357 SharePoint Elevation of Privilege
- https://app.snapattack.com/detection/a866984a-dd7a-4aa4-b155-c004fdd5e9b6 - Detection: Possible CVE-2023-29357 Exploitation
- https://app.snapattack.com/collection/c80609e7-b39e-4959-a8d8-b4559cbb967b - Collection: Remote Code Execution (RCE) in Splunk Enterprise through Insecure XML Parsing (CVE-2023-46214) | Threat SnapShot
- https://app.snapattack.com/threat/9a120805-4edb-8386-3723-d0b31384e9e1 - Threat: CVE-2023-46214 Splunk Remote Code Execution
- https://app.snapattack.com/threat/005cdbbb-2965-cbc7-e2e7-fc1739f66339 - Threat: CVE-2023-46214 Splunk Remote Code Execution (Linux)
- https://app.snapattack.com/detection/94f1d31e-441a-4d20-8e4f-27b562bee7b1 - Detection: Possible Splunk Exploitation (File Events)
- https://app.snapattack.com/detection/d69c36c1-f3db-420c-a5d8-6beb0bbcbd29 - Detection: Possible Splunk Exploitation (Linux File Events)
- https://app.snapattack.com/detection/8dad5c75-8a0b-47de-9480-881d63aeab97 - Detection: Suspicious Splunk Process
- https://app.snapattack.com/detection/0050d68b-aae4-4037-856f-b761afea3768 - Detection: Suspicious Splunk Process (Linux)
- https://app.snapattack.com/detection/a131af3a-efec-435e-bcf0-6b913242eb92 - Detection: Potential CVE-2023-46214 Exploitation Attempt (zeek)
- https://app.snapattack.com/attack/5c72f503-80cd-4f09-b3ce-779cbdd9fc87 - Attack Script: CVE-2023-46214 Splunk Remote Code Execution
- https://app.snapattack.com/collection/152f5c80-1fff-4e2c-aad6-c509a37edd45 - Collection: Atlassian Confluence Data Center and Server Template Injection Vulnerability (CVE-2023-22527) | Threat SnapShot
- https://app.snapattack.com/threat/4940dfe8-1050-de11-9566-43664124ad7f - Threat: CVE-2023-22527 - Atlassian Confluence Template Injection
- https://app.snapattack.com/detection/d0d3e91a-c182-418d-af88-c9558e23a616 - Detection: Confluence Template Injection
- https://app.snapattack.com/detection/aa9d80d9-ed47-44da-aceb-2909ca4dc19e - Detection: Suspicious Confluence File Creation
- https://app.snapattack.com/detection/dbe30b18-3c79-4a15-8735-d94e0891b62f - Detection: Suspicious child processes of Atlassian Confluence
- https://app.snapattack.com/attack/ad45e712-a161-4dd6-9a3b-cdca85c55346 - Attack Script: CVE-2023-22527 Confluence OGNL Template Injection