It's Raining Shells! Recent CVEs in SharePoint, Splunk, and Confluence, Oh My! | Threat SnapShot

In this bonus Threat SnapShot, we wanted to highlight a few of the most relevant and impactful vulnerabilities from December and January.

First, we'll cover a privilege escalation vulnerability in Microsoft SharePoint (CVE-2023-29357), with a CVSS score of 9.8 and rated critical. A remote, unauthenticated attacker can send a spoofed JSON Web Token (JWT) authentication token to a vulnerable server giving them the privileges of an authenticated user on the target. According to Microsoft's advisory, no user interaction is required in order for an attacker to exploit this flaw. While the currently released PoC does not achieve RCE out of the box, it's likely that threat actors will be able to modify the exploit and weaponize it for malicious use.

Next, we'll dive into a Remote Code Execution (RCE) vulnerability through insecure XML parsing affecting Splunk Enterprise (CVE-2023-46214). The vulnerability stems from insufficient sanitization for user-supplied extensible stylesheet language transformations (XSLT). Splunk is widely used in many organizations; this vulnerability could be exploited by insider threats or adversaries lurking in an organization, or more broadly the thousands of publicly exposed Splunk instances.

Finally, we'll look at a template injection flaw affecting Atlassian Confluence (CVE-2023-22527). This critical vulnerability was given the maximum CVSS score of 10, because of the ability for attackers to achieve remote code execution in a low-complexity attack and without authentication. This harkens back to similar CVEs, like CVE-2022-26134 and CVE-2021-26084, that allow an attacker to inject OGNL to gain code execution.

As always, we'll also discuss detection and threat hunting strategies to keep your organization safe.

References:
https://starlabs.sg/blog/2023/09-shar...
https://github.com/Chocapikk/CVE-2023...
https://blog.hrncirik.net/cve-2023-46...
https://thehackernews.com/2024/01/cit...

SnapAttack Resource:
https://app.snapattack.com/collection... - Collection: Microsoft SharePoint Server Privilege Escalation Vulnerability (CVE-2023-29357) | Threat SnapShot
https://app.snapattack.com/threat/313... - Threat: CVE-2023-29357 SharePoint Elevation of Privilege
https://app.snapattack.com/detection/... - Detection: Possible CVE-2023-29357 Exploitation
https://app.snapattack.com/collection... - Collection: Remote Code Execution (RCE) in Splunk Enterprise through Insecure XML Parsing (CVE-2023-46214) | Threat SnapShot
https://app.snapattack.com/threat/9a1... - Threat: CVE-2023-46214 Splunk Remote Code Execution
https://app.snapattack.com/threat/005... - Threat: CVE-2023-46214 Splunk Remote Code Execution (Linux)
https://app.snapattack.com/detection/... - Detection: Possible Splunk Exploitation (File Events)
https://app.snapattack.com/detection/... - Detection: Possible Splunk Exploitation (Linux File Events)
https://app.snapattack.com/detection/... - Detection: Suspicious Splunk Process
https://app.snapattack.com/detection/... - Detection: Suspicious Splunk Process (Linux)
https://app.snapattack.com/detection/... - Detection: Potential CVE-2023-46214 Exploitation Attempt (zeek)
https://app.snapattack.com/attack/5c7... - Attack Script: CVE-2023-46214 Splunk Remote Code Execution
https://app.snapattack.com/collection... - Collection: Atlassian Confluence Data Center and Server Template Injection Vulnerability (CVE-2023-22527) | Threat SnapShot
https://app.snapattack.com/threat/494... - Threat: CVE-2023-22527 - Atlassian Confluence Template Injection
https://app.snapattack.com/detection/... - Detection: Confluence Template Injection
https://app.snapattack.com/detection/... - Detection: Suspicious Confluence File Creation
https://app.snapattack.com/detection/... - Detection: Suspicious child processes of Atlassian Confluence
https://app.snapattack.com/attack/ad4... - Attack Script: CVE-2023-22527 Confluence OGNL Template Injection