ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Penetration Testing
Incident Response
Request for Intelligence
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Analysis Brief Reports
Microsoft SharePoint Vulnerability: CVE-2024-38023, etc.
2024.07.12

✅ Report Title:


Brief Overview of Microsoft SharePoint Vulnerabilities



✅ Report Summary:


- On July 9, 2024, Microsoft urgently patched SharePoint vulnerabilities CVE-2024-38023, CVE-2024-38024, and CVE-2024-38094.


- Announced as a CVSSv3.1:7.2 HIGH vulnerability and patched on July 9, 2024, there have been no known exploitation cases as of the report date (July 12, 2024). However, with recent publication of PoC code, users are advised to enable threat detection.



📌 What is the cause of the vulnerability?


- This vulnerability arises from an arbitrary code execution issue in certain methods within the Entity class on Microsoft SharePoint servers, due to improper deserialization handling.


- A user with Site Owner privileges on a SharePoint server can modify the /BusinessDataMetadataCatalog/BDCMetadata.bdcm file located on the SharePoint site to create arbitrary LobSystem objects.


- The user can execute CSOM actions referencing the LobSystem object through specific endpoints, allowing data to be passed as parameters via the object reference.


- By passing manipulated parameters to a method performing deserialization, the vulnerability allows arbitrary code execution through this deserialization flaw.



📌 What is the attack scenario if the vulnerability is exploited?


- An attacker requires an account with Site Owner privileges on a vulnerable Microsoft SharePoint server.


- The attacker creates a BusinessDataMetadataCatalog folder on the SharePoint site and uploads the BDCMetadata.bdcm file to generate a malicious LobSystem object with a payload.


- By sending a request to the /_vti_bin/client.svc/ProcessQuery endpoint, referencing the malicious LobSystem in a CSOM Action, the attacker can achieve arbitrary code execution through the deserialization vulnerability.



✅ Recommended Threat Detection and Mitigation Measures:


- Update threat detection rules, ensure continuous monitoring, and apply the latest patches.


- If patching is not feasible, follow alternative mitigation steps.


- Download and install the security-updated versions:

Microsoft SharePoint Server Subscription Edition 16.0.17328.20424 or later

Microsoft SharePoint Server 2019 16.0.10412.20001 or later

Microsoft SharePoint Enterprise Server 2016 16.0.5456.1000 or later


- For a detailed analysis and specific mitigation measures, please contact through the link below.



🧑‍💻 Report Author: S2W TALON


👉 For inquiries about the full report: https://s2w.inc/en/contact



News Highlights
DDW Weekly Highlights in July W1
2024.07.11
Previous
News Highlights
DDW Weekly Highlights in July W2
2024.07.18
Next
List