What is CVE-2020-1147?
CVE-2020-1147 is a critical vulnerability affecting Microsoft SharePoint, a popular web-based collaboration platform used by organizations to manage and share documents, data, and applications. This vulnerability allows attackers to execute arbitrary code within the context of the SharePoint application pool and the SharePoint server farm account. It affects multiple versions of Microsoft SharePoint, including SharePoint Server 2010, 2013, 2016, and 2019, making it a significant threat to organizations that rely on SharePoint for document management and collaboration.
CVSS Score and Severity
- CVSS Score: 8.6 (High)
- Severity: The CVSS score of 8.6 out of 10 reflects the high severity of this vulnerability. The ability for attackers to execute arbitrary code on the SharePoint server can lead to full system compromise, data theft, and disruption of services.
So what’s the problem?
CVE-2020-1147 is particularly dangerous because it allows attackers to upload a maliciously crafted page or web part to the SharePoint server, which is then executed with elevated privileges. This can result in the complete compromise of the SharePoint server and, by extension, the organization’s data and documents stored on the platform. The vulnerability is especially concerning in environments where SharePoint is used extensively for collaboration and document management, as it could lead to the loss or exposure of sensitive information.
Background and Context
Background on the vulnerability
CVE-2020-1147 was discovered in 2020 as part of a series of security updates released by Microsoft. SharePoint is widely used across various industries, making it a prime target for attackers. The vulnerability is rooted in how SharePoint handles the deserialization of untrusted data, specifically when processing user-supplied content such as web parts or page templates. If this data is not properly validated, it can lead to the execution of arbitrary code, allowing an attacker to take control of the SharePoint server.
Description of the Vulnerability (CVE-2020-1147)
The vulnerability occurs because Microsoft SharePoint does not correctly handle the deserialization of certain XML data. When a user uploads a specially crafted page or web part to the SharePoint server, the server processes the content without proper validation, leading to the execution of arbitrary code. This code runs with the privileges of the SharePoint application pool and the SharePoint server farm account, potentially leading to full system compromise.
Root Cause Analysis
The root cause of CVE-2020-1147 is the improper handling and deserialization of untrusted data in Microsoft SharePoint. The vulnerability arises from the lack of sufficient validation when processing XML content uploaded to the server. This flaw allows attackers to inject malicious code into the serialized data, which is then executed when the server processes the content. The deserialization process in SharePoint lacks the necessary security checks to prevent such attacks, leading to this critical vulnerability.
Impact and Exploitation
The impact of CVE-2020-1147
Exploiting CVE-2020-1147 can have several serious impacts:
- Remote Code Execution: The most severe impact is the ability for an attacker to execute arbitrary code on the SharePoint server, potentially leading to full control over the server and all data stored on it.
- Data Breach: An attacker who successfully exploits this vulnerability can access, modify, or steal sensitive information stored in the SharePoint environment, leading to data breaches and potential regulatory penalties.
- Service Disruption: The attacker could disrupt SharePoint services, leading to downtime and loss of access to critical collaboration tools for the organization.
Exploit
To exploit CVE-2020-1147, an attacker needs to upload a maliciously crafted page or web part to the SharePoint server. The exploitation process involves:
- Gaining access to a SharePoint site where the attacker has sufficient permissions to upload content (e.g., a contributor role).
- Crafting a web part or page that contains malicious XML data designed to exploit the deserialization vulnerability.
- Uploading the crafted content to the SharePoint server, which then processes the XML and executes the malicious code with elevated privileges.
In-the-Wild Attacks
Since its disclosure, CVE-2020-1147 has been a target for exploitation in the wild. Attackers have leveraged this vulnerability to compromise SharePoint servers, gaining access to sensitive data and executing malicious code. The widespread use of SharePoint across industries has made this vulnerability particularly attractive to attackers, especially in targeted attacks against high-value organizations.
Vulnerable code/package in the application
The vulnerable code is located within the XML handling components of Microsoft SharePoint, specifically in how the server processes serialized data uploaded as web parts or pages. The affected versions include SharePoint Server 2010, 2013, 2016, and 2019, as well as SharePoint Enterprise Server versions prior to the security updates released in July 2020.
Statistics on vulnerability
While specific exploitation statistics for CVE-2020-1147 are not widely available, the critical nature of this vulnerability and the widespread use of SharePoint make it a significant concern for many organizations. The vulnerability’s potential for remote code execution and data compromise underscores the importance of addressing it promptly.
Mitigation and Remediation
Mitigating CVE-2020-1147
Organizations can mitigate the risks associated with CVE-2020-1147 by:
- Applying Patches: Microsoft has released patches to address this vulnerability. It is critical to apply these security updates to all affected versions of SharePoint to prevent exploitation.
- Restricting Upload Permissions: Limiting who can upload pages or web parts to the SharePoint server can reduce the risk of exploitation. Only trusted users should have the ability to upload content that could potentially contain serialized data.
- Monitoring and Alerts: Implement monitoring and alerting for suspicious activity on SharePoint servers, such as unusual uploads or unexpected changes to web parts and pages.
Patch and Bypass: Fixes Added for CVE-2020-1147
The patch for CVE-2020-1147 involves updates to how SharePoint handles the deserialization of XML data, ensuring that it is properly validated before being processed. Microsoft’s security update also includes additional checks to prevent similar vulnerabilities in the future. Organizations should ensure that all SharePoint servers are updated to the latest version to protect against this vulnerability.
Proactive response
A proactive security approach includes regularly updating software, conducting security audits of SharePoint environments, and implementing strict access controls to minimize the risk of exploitation. Organizations should also educate users about the importance of adhering to security best practices when uploading content to SharePoint.
Proof of Concept (POC)
A POC for CVE-2020-1147 could involve uploading a maliciously crafted file to a SharePoint instance:
xml –
<configuration>
<system.webServer>
<handlers>
<add name="MaliciousHandler" path="*.aspx" verb="*" type="System.Web.HttpApplication"/>
</handlers>
</system.webServer>
</configuration>
When the server processes this file, it could execute the embedded commands, demonstrating the vulnerability.
Real-world Impact and Response
Timeline/changelog
- July 2020: Discovery and public disclosure of CVE-2020-1147 as part of Microsoft’s security updates.
- July 2020: Microsoft releases patches to address the vulnerability in all affected versions of SharePoint.
- August 2020: Security advisories and guidance issued to organizations to update their SharePoint installations and secure their environments against potential exploitation.
- September 2020: Continued monitoring for potential exploitation and additional updates released by Microsoft to further secure SharePoint environments.
Observed Activity
Since its disclosure, CVE-2020-1147 has been actively targeted by attackers, particularly in environments where SharePoint is used for managing sensitive data. Attackers have exploited this vulnerability to gain unauthorized access to SharePoint servers, leading to data breaches and system compromise.
Mass Scanning
Following the disclosure of CVE-2020-1147, there has been an increase in scanning activity targeting SharePoint servers, particularly looking for unpatched systems that are vulnerable to this exploit. Attackers use automated tools to identify and compromise these servers.
Vulnerable Server Discovery
Vulnerable SharePoint servers can be discovered by attackers through targeted scanning or by analyzing network traffic for signs of outdated SharePoint versions. Systems that have not been updated with the latest security patches are at high risk of exploitation.
Reasoning and Scoring
Corporate networks impacted globally
CVE-2020-1147 has the potential to impact corporate networks globally, particularly in industries that rely heavily on SharePoint for document management and collaboration. The vulnerability can be exploited to gain unauthorized access to sensitive information, disrupt operations, or deploy malicious code across an organization’s SharePoint environment.
Corporate numbers impacted by countries
- United States: Extensive use of SharePoint in enterprise environments, with many organizations potentially at risk.
- Europe: Significant adoption of SharePoint in finance, healthcare, and government sectors, leading to potential exposure.
- Asia: Widespread use of SharePoint in various industries, where secure document management is critical.
Conclusion
Who should be paying attention to this?
System administrators, cybersecurity professionals, and organizations that use Microsoft SharePoint for collaboration and document management should prioritize attention to CVE-2020-1147. Ensuring that SharePoint servers are patched and secure is critical for maintaining the overall security of the organization’s data and collaboration tools.
Who is exploiting it and how?
CVE-2020-1147 has been exploited by attackers who identify unpatched SharePoint servers. These attackers upload malicious web parts or pages containing serialized data that exploits the deserialization vulnerability, leading to remote code execution and system compromise.
How are things likely to develop?
As more organizations apply patches and secure their SharePoint environments, the risk of widespread exploitation decreases. However, unpatched systems remain vulnerable, and attackers will likely continue to target organizations that have not yet applied the necessary security updates. Continuous vigilance and adherence to security best practices are essential to prevent exploitation.
How long has it been around?
CVE-2020-1147 was discovered and disclosed in July 2020, but the underlying deserialization issue may have existed in Microsoft SharePoint for some time before its discovery. This highlights the importance of regular security reviews and updates to address potential vulnerabilities in widely used enterprise software.
