A newly discovered vulnerability in SharePoint’s XML handling processes has raised security concerns. This flaw, identified as CVE-2024-30043, affects both on-premises and cloud instances of SharePoint. The vulnerability originates from insufficient validation during XML fetching and parsing, creating opportunities for attackers to exploit the system through XXE (XML eXternal Entity) Injection.
A SharePoint Farm Service Account vulnerability, CVE-2024-30043, was discovered, exposing sensitive data and allowing various attacks. SharePoint users face risks, including file access, Server-Side Request Forgery (SSRF), NTLM relay attacks, and remote code execution.
Details of the XXE Injection Vulnerability
SharePoint’s BaseXmlDataSource DataSource class contains this security flaw. The vulnerability lies in the class’s Execute method, which accepts user-controlled URLs or paths to XML files. This method’s XML fetching and parsing processes use inadequate validation, leading to potential exploit pathways.
Researchers found that the FetchData method accepts a user-controlled URL parameter and is implemented in three classes: SoapDataSource, XmlUrlDatasource, and SPXmlDataSource. Despite security measures, the XML parsing settings allow for exploitation. The xmlReaderSettings.DtdProcessing is set to prohibit DTDs, and xmlTextReader.XmlResolver uses a new XmlSecureResolver. However, the resolver handles parameter entities before the DTD prohibition check, allowing malicious payload execution.
Reason for Payload Execution
The mishandling of parameter entities and the sequence of security checks enable Out-of-Band XXE exploitation. Malicious payloads can exfiltrate data and perform various attacks, bypassing initial security settings.
– SharePoint’s XML parsing flaw allows various attacks.
– Exploits include SSRF, NTLM relay, and remote code execution.
– Microsoft patch mitigates vulnerability, urging updates.
Microsoft’s Patch Tuesday updates in May 2024 addressed this vulnerability. The patch improved URL parsing control for SpXmlDataSource and prohibited DTD usage in XmlTextReader. SharePoint users are advised to update their instances to mitigate potential threats.
This vulnerability highlights the importance of thorough validation in data handling processes. Organizations using SharePoint should prioritize updates and consider additional security measures to protect their systems. The discovery and patching of CVE-2024-30043 demonstrate the ongoing challenges in securing enterprise software and the need for continuous vigilance in cybersecurity practices.
