“If your prioritisation stops at vendor severity or even CVSS scores above a certain level, you may want to reassess your metrics”
Microsoft has patched a fresh batch of critical bugs in its SharePoint platform — a collaboration and document management portal — including two remote code execution (RCE) vulnerabilities potentially allowing a hacker sustained access to critical business networks if left unpatched.
Two of the Sharepoint bugs were found by security researcher Ivan Vagunin, who told Computer Business Review that the main attack vector was against multi-tenant farms (e.g. SharePoint Online) where you can “register a tenant… then exploit [the] bug to run code in the context of privileged account (that has access to other tenants) to get data from neighbor tenants.”
The attacker would need to upload a malicious application package to exploit the vulnerabilities and have existing privileges to exploit the bugs – CVE-2020-1023/1024. Vagunin told us: “If you just have a limited access (e.g. Reader role) to some SharePoint farm, it’s unlikely that you can exploit it”.
He added: “Any RCE for SharePoint Online is critical because code is executed in the context where you can get all data from the farm”
The bugs were among 111 patched by Microsoft (16 rated as critical) as part of its monthly Patch Tuesday cycle of updates; for a change there were no publicly disclosed or exploited vulnerabilities this month.
Todd Schell, Senior Product Manager – Security at Ivanti noted that most of the critical vulnerabilities are resolved by the OS and browser updates, but added that “if you look at the Exploitability Assessment, a number of Important CVEs are concerning. 10 of this month’s 111 CVEs carried exploit ratings of one meaning exploitation is more likely for this vulnerability.
“What is interesting, and often overlooked, is that seven of the 10 CVEs at higher risk of exploit are only rated as important. It is not uncommon to look at the critical vulnerabilities as the most concerning, but many of the vulnerabilities that end up being exploited are actually the ones rated as important. If your prioritisation stops at vendor severity or even CVSS scores above a certain level, you may want to reassess your metrics.”
Adobe meanwhile issued patches on Tuesday covering multiple vulnerabilities in Acrobat/Reader and DNG SDK. Adobe also released patches out-of-band on April 28th covering Critical vulnerabilities in Bridge, Illustrator, and Magento. The patches for Magento are Priority 2, while the others are Priority 3.