Critical Vulnerability in SharePoint Server Being Exploited by Hackers
ZDNet has posted an article describing a critical vulnerability in SharePoint Server 2010, 2013, 2016 & 2019 that is currently being exploited by hackers to gain access to farms exposed to the internet. This vulnerability allows attackers to run code in the context of the application pool or farm administrator account.
The Microsoft Security Bulletin associated with this issue is CVE-2019-0604. I would suggest immediate patching if you are not already at the requisite patch level (links to each KB article and CU are at the bottom of the security bulletin page). I have seen the results of this attack in compromised systems and can verify that it is extremely dangerous, including deployment of the China Chopper web shell that can execute remote commands via the web browser.
Systems affected include:
SharePoint Server 2010
SharePoint Server 2013
SharePoint Server 2016
SharePoint Server 2019
If you are looking for footprints to see if your systems have already been affected, scan your IIS virtual and SharePoint application directories for out of place files (usually with an .aspx extension). The exploits are carefully crafted to look like valid files and often have the modified dates changed so they don’t appear to be recent updates. For example, in the /_layouts directory, you may find what should normally be a .js file with a .aspx extension (sp.init.aspx instead of sp.init.js) or an .aspx/.html file in the /_vti_pvt virtual directory of a web application (there shouldn’t be anything other than .cnf files in that folder). The code is also extensively obfuscated – they’re pretty obvious once you know what you’re looking for. When in doubt, run a file diff against a test or development server that has no external exposure then analyze all the deltas. So far we haven’t seen any core files that have been modified, only new files added where they shouldn’t be. YMMV.
Don’t risk the integrity of your farms – go get those servers patched ASAP!