SharePoint Servers Now Actively Targeted by CVE-2019-0604 Exploit -- Redmondmag.com

SharePoint Servers Now Actively Targeted by CVE-2019-0604 Exploit

By Kurt Mackie
05/10/2019

A "Critical"-rated vulnerability in SharePoint Server versions that Microsoft issued a patch for back in March is now getting actively targeted, according to some security authorities.

Attackers are installing China Chopper Web shells on SharePoint Servers to carry out remote code execution attacks. Potentially affected SharePoint products include all versions, from SharePoint Server 2010 through SharePoint Server 2019, as described in Microsoft's Security Advisory CVE-2019-0604.

Christopher Doman, a security researcher at AlienVault, raised the alarm about the active targeting in a Tweet on Friday. He cited an April 23 alert by the Canadian Centre for Cyber Security, as well as an undated alert by Saudi Arabia's National Cyber Security Center, as indicating that the targeting was active. Security researcher Kevin Beaumont commented in that post that the exploit isn't public yet, but that "some APT [advanced persistent threat] and crimeware groups are already using it, i.e. ones with skills."

The vulnerabilities were publicly described in a March 13 Trend Micro Zero Day Initiative (ZDI) blog post by researcher Markus Wulftange, who described leveraging the XMLSerializer in SharePoint. The proof-of-concept attack is highly technical, perhaps making it seem less likely to occur.

Microsoft first published its CVE-2019-0604 security advisory in February. It first released security updates for the SharePoint vulnerability on March 12, but later sent patches out again on April 25, per the security bulletin's history. However, Wulftange described Microsoft sending the patch out twice in March because Microsoft had missed fixing one of the flaws.

In any case, authorities are now suggesting that the SharePoint Server flaw is being actively targeted, which apparently wasn't the case back in March.

In other SharePoint Server patch news, Microsoft warned IT pros earlier this month that there are minimum cumulative update patch levels to maintain for both SharePoint Server 2013 and SharePoint Server 2016. Organizations need to have the April 2018 and May 2018 Cumulative Updates installed, respectively, to keep their SharePoint farms supported.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.