1. SecPod Technologies
  2. KB Articles
  3. How To's

    Fixing Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2019-0604) using SanerNow (Active Exploits)

    Follow

    Overview:
    A remote code execution vulnerability exists in Microsoft SharePoint. This vulnerability, tracked as CVE-2019-0604 was reported by Markus Wulftange. This vulnerability was rated critical. However, no exploits were seen at the time of release.

    Now, a number of organizations reported active exploits of this vulnerability in regions of Canada and Middle East where the initial infection was achieved using a China Chopper web-shell. AlienLabs found malware samples (https://pastebin.com/bUFPhucz) that could be an earlier version of the malware which is capable of executing commands and also uploading or downloading files. Reports indicate that this malware linked to FIN7 group. For more info please refer our blog

     

    CVSS v3.0 Severity and Metrics:
    Base Score: 7.8 HIGH
    Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

    CVSS v2.0 Severity and Metrics:
    Base Score: 9.3 HIGH
    Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

     

    Affected software:
    Windows Server 2008
    Windows Server 2008 R2
    Windows Server 2012
    Windows Server 2012 R2
    Windows Server 2016
    Windows Server 2019

     

    Solution:

    We can use SanerNow platform to apply this critical vulnerability quickly across the organization as shown in the below diagrams.

    NOTE: This vulnerability is been actively exploited by the attacker to break into the system, hence consider applying the solution immediately.

     

    SanerNow: Vulnerability detection and patching of CVE-2019-0604:

    1. Login to SanerNow platform

    2. Switch to the account/site specific view and Go to 'VM tool' 

    3. CVE-2019-0604 vulnerability will be listed in 'Top Vulnerabilities' or 'Recently Discovered Vulnerabilities' as shown in the below diagram

     CVE-2019-0604-Patch-KB.png

    4. Search for this vulnerability in VM tool. If you are affected, apply the patch through PM -> Missing Patches

    5. Select 'Groups/Devices' in the 'Asset Source' section and click 'Apply'.

    6. Select the appropriate patches from the 'Asset' section as shown in the below diagram. Please refer this Microsoft advisory for more information.

    CVE-2019-0604-Patch-KB-4462143.png

     

    7. Select 'Apply Selected Patches' at the rightmost corner. This will prompt for 'Creating Patching Task'. Fill in 'Task Name' and 'Remediation Schedule' as per your preference and click on 'Apply Selected Patches' as shown below,

    CVE-2019-0604-Patch-KB-4462143-Sol.png 

    8. Remediation job will be created, which will fix the vulnerability by applying the patch.

    9. Once remediation is done, the Saner agent automatically scans again and uploads the result.

    Was this article helpful?
    0 out of 0 found this helpful

    Comments