A fatal error has been detected in Microsoft SharePoint added to known exploits (KEV) catalog of the US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday, citing evidence of active use.
The vulnerability, tracked as CVE-2024-38094 (CVSS score: 7.2), has been described as a deserialization vulnerability that affects SharePoint and could lead to remote code execution.
“An authenticated attacker with permission from the site owner could use the vulnerability to inject arbitrary code and execute that code in the context of SharePoint Server,” Microsoft said. said in the notice of deficiency.
There were patches for the security flaw released Redmond as part of the July 2024 Patch Tuesday Updates The exploit risk is compounded by the fact that proof-of-concept (PoC) exploits for the flaw available in public domain.
“The PoC script (…) automates authentication to a target SharePoint site using NTLM, creates a specific folder and file, and sends a crafted XML payload to cause a vulnerability in the SharePoint client API” — SOCRadar said.
There are currently no reports of CVE-2024-38094 being used in the wild. In light of abuses in the wild, Federal Civil Enforcement Agency (FCEB) agencies have until November 12, 2024 to apply the latest patches to protect their networks.
This development comes after Google’s Threat Analysis Team (TAG) discovered that a patched zero-day vulnerability in Samsung mobile processors was used as part of an exploit chain to execute arbitrary code.
Assigned CVE ID CVE-2024-44068 (CVSS score 8.1), on October 7, 2024 it was addressed with the South Korean electronics giant characterizing it’s like “post-release usage in a mobile processor (which) leads to privilege escalation”.
Although Samsung’s brief advisory did not mention that it was used in the wild, Google TAG researchers Xinyu Jin and Clement Lessin said the zero-day exploit for the flaw is being used as part of a privilege escalation chain.
“An actor can execute arbitrary code in a privileged camera server process,” the researchers said said. “The exploit also renamed the process name itself to ‘vendor.samsung.hardware.camera.provider@3.0-service’, presumably for forensics purposes.”
The disclosure also follows a new proposal from CISA that lays out a series of security requirements to prevent mass access to sensitive US personal or government data by countries of concern and affected individuals.
Organizations are required to remediate known exploited vulnerabilities within 14 calendar days, critical unexploited vulnerabilities within 15 calendar days, and high severity unexploited vulnerabilities within 30 calendar days.
“To ensure and verify that a covered system is denying covered individuals access to covered data, it is necessary to maintain audit logs of such accesses, as well as organizational processes for using those logs,” the agency said. said.
“Similarly, organizations need to develop identity management processes and systems to understand which people may have access to different sets of data.”
