The information below was sent to U-M IT groups on October 19, 2020. It is intended for U-M IT staff who are responsible for university servers running Microsoft SharePoint.
Summary
A vulnerability has been discovered in Microsoft SharePoint that could allow for remote code execution. Microsoft has released a Security Update, which should be applied as soon as possible after appropriate testing.
Problem
According to Microsoft, a remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. After successful exploitation, the vulnerability allows attackers to remotely execute code in the context of the local Administrator account.
Affected Versions
- Microsoft SharePoint Foundation 2013 Service Pack 1
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Server 2019
Note: SharePoint Online as part of Office 365 is not affected.
Action Items
Apply the Security Update provided by Microsoft as soon as possible after appropriate testing.
Threats
An attacker who successfully exploited the server-side include (SSI) vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. This vulnerability can be exploited when a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.
Technical Details
As described by Source Incite: “The specific flaw exists within the DataFormWebPart class. The issue results from the lack of proper validation of user-supplied data which can result in a server side include. An attacker can leverage this vulnerability to execute code in the context of the local Administrator.”
Information for Users
This alert applies to server applications and is not directed at end users.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact info-assurance@umich.edu.
References
- Alert: Risk of SharePoint vulnerability to UK organisations (National Cyber Security Centre, 10/16/20)
- NCSC Releases Alert on Microsoft SharePoint Vulnerability (Cybersecurity & Infrastructure Security Agency, 10/16/20)
- SRC-2020-0022 : Microsoft SharePoint Server DataFormWebPart CreateChildControls Server-Side Include Remote Code Execution Vulnerability (Source Incite)
- UK urges orgs to patch severe CVE-2020-16952 SharePoint RCE bug (Bleeping Computer, 10/16/20)
- CVE-2020-16952 | Microsoft SharePoint Remote Code Execution Vulnerability (Microsoft, 10/13/20)