Attacker Value
Very High
(3 users assessed)
Exploitability
High
(3 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
3

CVE-2019-0604

Disclosure Date: March 05, 2019
CVE-2019-0604 CVSS v3 Base Score: 9.8
Exploited in the Wild
Reported by AttackerKB Worker and 2 more...
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka ‘Microsoft SharePoint Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2019-0594.

Add Assessment

2
Ratings
  • Attacker Value
    High
  • Exploitability
    Medium
Common in enterpriseEasy to weaponizeGives privileged accessVulnerable in default configurationAuthenticated
Technical Analysis

A .NET deserialization vulnerability exists within SharePoint that can be exploited remotely. The vulnerability was actively being exploited in the wild around the May 2019 time frame. Per the ZDI Advisory the vulnerability is due to a lack of validation on user supplied data to an encoder class which can be leveraged to deserialize attacker-supplied data resulting in remote code execution.

Per the Microsoft advisory:

Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.

A public PoC has been released.

The initial vulnerability is triggered via an HTTP POST request to /_layouts/15/Picker.aspx?PickerDialogType=.

Log in to Add Reply
2
Ratings
  • Attacker Value
    High
Authenticated
Technical Analysis

This made CISA’s list of most exploited vulns from 2016-2019—fairly notable since it’s a 2019 vulnerability and had less time to percolate than others. There are newer SharePoint vulnerabilities and exploits out now that may replace this one, but the generalized takeaway is that SharePoint is a highly attractive attack target with a number of public exploits and proofs-of-concept available for known vulns.

Log in to Add Reply
1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

  • Vulnerable Products: Microsoft SharePoint
  • Associated Malware: China Chopper
  • Mitigation: Update affected Microsoft products with the latest security patches
Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Microsoft SharePoint Server 2010 Service Pack 2
Microsoft SharePoint Server 2019
Microsoft SharePoint Foundation 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2016
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • Microsoft

Products

  • Microsoft SharePoint Server,
  • Microsoft SharePoint Foundation,
  • Microsoft SharePoint Enterprise Server

Exploited in the Wild

Reported by:

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis