Written By:  Kurt Mackie |  Published:  2/24/2020

SharePoint Servers Now Actively Targeted by CVE-2019-0604 Exploit

Attackers are installing China Chopper Web shells on SharePoint Servers to carry out remote code execution attacks. Potentially affected SharePoint products include all versions, from SharePoint Server 2010 through SharePoint Server 2019, as described in Microsoft's Security Advisory CVE-2019-0604.  

Christopher Doman, a security researcher at AlienVault, raised the alarm about the active targeting in a Tweet on Friday. He cited an April 23 alert by the Canadian Centre for Cyber Security, as well as an undated alert by Saudi Arabia's National Cyber Security Center, as indicating that the targeting was active. Security researcher Kevin Beaumont commented in that post that the exploit isn't public yet, but that "some APT [advanced persistent threat] and crimeware groups are already using it, i.e. ones with skills."

The vulnerabilities were publicly described in a March 13 Trend Micro Zero Day Initiative (ZDI) blog post by researcher Markus Wulftange, who described leveraging the XMLSerializer in SharePoint. The proof-of-concept attack is highly technical, perhaps making it seem less likely to occur.

Microsoft first published its CVE-2019-0604 security advisory in February. It first released security updates for the SharePoint vulnerability on March 12, but later sent patches out again on April 25, per the security bulletin's history. However, Wulftange described Microsoft sending the patch out twice in March because Microsoft had missed fixing one of the flaws.

In any case, authorities are now suggesting that the SharePoint Server flaw is being actively targeted, which apparently wasn't the case back in March.

In other SharePoint Server patch news, Microsoft warned IT pros earlier this month that there are minimum cumulative update patch levels to maintain for both SharePoint Server 2013 and SharePoint Server 2016. Organizations need to have the April 2018 and May 2018 Cumulative Updates installed, respectively, to keep their SharePoint farms supported.