Summary:
- These vulnerabilities affect: SharePoint Server, Groove Server, Office Web Apps, and InfoPath 2010, which are all part of Microsoft’s Office family products
- How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious link, or by visiting a specific address on a vulnerable server
- Impact: In the worst case, an attacker can elevate their privileges, gaining the ability to do anything the victim can on the affected server.
- What to do: Install the appropriate updates as soon as you can, or let Windows Update do it for you.
Exposure:
Today, Microsoft released two Office-related security bulletins describing vulnerabilities found in SharePoint, SharePoint Foundation, Groove, Office Web Apps, and InfoPath — all part of Microsoft’s Office family of products. Microsoft rates both bulletins as Important. We summarize them below:
- MS13-030: SharePoint Information Disclosure Flaw
SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint Server 2013 does not apply the proper access controls to a SharePoint list, which means any SharePoint user can gain access to items in the list, even if the list owner did not intend that user to have access. However, in order to exploit this flaw, the attacker needs valid credentials on your SharePoint Server, and needs to know the specific URL address for the Sharepoint list in question. These factors significantly mitigate this vulnerability, limiting it primarily to an internal risk
Microsoft rating: Important.
- MS13-035: SharePoint and Office server XSS Vulnerability
SharePoint (and other Office-related servers like InfoPack and Groove) also suffer from an unspecified Cross-Site Scripting vulnerability (XSS) that could allow an attacker to elevate his privileges. By enticing one of your users to click a specially crafted link, an attacker could exploit this flaw to gain that user’s privilege on your SharePoint server. This means the attacker could view or change all the documents which that user could. These flaws only affect the 2010 versions of these Office servers.
Microsoft rating: Important
Solution Path
Microsoft has released patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate ones as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.
The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:
For All WatchGuard Users:
WatchGuard’s Intrusion Prevention services can sometimes prevent web application attacks like the XSS one described today. For instance, our IPS signature team has developed a new signature that can detect and block the “HTML Sanitizarion” XSS attack affecting Sharepoint and other Office-related servers:
- WEB-CLIENT Microsoft IE HTML Sanitization Vulnerability (CVE-2013-1289)
Your XTM appliance should get this new IPS update shortly. Nonetheless, attackers can still exploit these flaws locally, so we still recommend you install Microsoft’s updates.
Status:
Microsoft has released SharePoint and Visio updates to fix these vulnerabilities.
References:
This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).