The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has raised the alert over an actively exploited vulnerability within Microsoft SharePoint, which has now been added to the Known Exploited Vulnerabilities (KEV) catalog. This high-severity flaw, identified as CVE-2024-38094, poses a significant threat due to ongoing exploitation activities.
This vulnerability, scoring a CVSS rating of 7.2, arises from a deserialization issue within SharePoint. It can be leveraged to achieve remote code execution, placing systems at severe risk.
Microsoft, in its security advisory, explained, “An authenticated attacker with Site Owner privileges can exploit this flaw to inject and execute arbitrary code within the SharePoint Server environment.”
Patch Deployment and Public Exploit
In response to this critical vulnerability, Microsoft issued patches as part of its Patch Tuesday updates in July 2024. The danger of exploitation is further escalated by the public availability of proof-of-concept (PoC) scripts.
The PoC exploit simplifies the attack by automating authentication through NTLM protocols to target a SharePoint site, then crafting a specific payload to breach the vulnerability using the SharePoint client API, according to cybersecurity platform SOCRadar.
While there are no confirmed cases of CVE-2024-38094 being used in real-world attacks, the in-the-wild exploitations necessitate immediate action. The Federal Civilian Executive Branch (FCEB) agencies are instructed to apply the latest patches by November 12, 2024, to mitigate any risks to their infrastructure.
New Exploits and Zero-Day Chain Discovered
Simultaneously, Google’s Threat Analysis Group (TAG) has uncovered details regarding a now-resolved zero-day vulnerability in Samsung mobile processors that was exploited in the wild as part of a sophisticated exploit chain. Tracked as CVE-2024-44068 and bearing a CVSS score of 8.1, this flaw allows for arbitrary code execution by exploiting a use-after-free vulnerability in the processor, leading to privilege escalation.
The vulnerability was patched on October 7, 2024, with Samsung acknowledging the issue, though the advisory does not detail its in-the-wild exploitation. However, TAG researchers Xingyu Jin and Clement Lecigne revealed that a zero-day exploit targeting this weakness has already been weaponized to elevate privileges, specifically within the cameraserver process.
This particular attack not only executes code within a privileged process but also obscures forensic tracking by renaming the process to “[email protected].”
CISA’s New Proposal on Data Security
These revelations come as CISA introduces a new set of security protocols aimed at preventing unauthorized bulk access to sensitive U.S. personal or governmental data by adversarial nations or unauthorized entities.
Under this proposed framework, organizations are mandated to address known exploited vulnerabilities within 14 calendar days, critical vulnerabilities without known exploits within 15 days, and high-severity vulnerabilities without exploits within 30 days.
To further safeguard sensitive data, CISA recommends maintaining comprehensive audit logs to monitor access, alongside stringent identity management systems to oversee who has access to critical datasets. The aim is to ensure robust defenses and clearly defined access controls to prevent misuse or breaches of sensitive information.
