Microsoft® Access Control Vulnerability in SharePoint® 2007

Friday, December 12, 2008

Priority: HIGH

Impact: Potential for denial of service or information disclosure.

Resolution:

1. If you are running a Breach Security product
   • Verify blocking policy in WebDefend™ or
   • Implement a virtual patch in the ModSecurity™ Pro M1100/ModSecurity hosts
2. Apply the October 2008 Cumulative Update for SharePoint

Who: Any organization that is currently running the following versions of Microsoft SharePoint Server 2007:

• Microsoft Office SharePoint Server 2007 (32-bit editions)
• Microsoft Office SharePoint Server 2007 Service Pack 1 (32-bit editions)
• Microsoft Office SharePoint Server 2007 (64-bit editions)
• Microsoft Office SharePoint Server 2007 Service Pack 1 (64-bit editions)
• Microsoft Search Server 2008* (32-bit editions)
• Microsoft Search Server 2008** (64-bit editions)

*Includes Microsoft Search Server 2008 Express (32-bit)

**Includes Microsoft Search Server 2008 Express (64-bit)

For more information, please refer to the Microsoft Security Bulletin page for MS08-007.

What: This is an insufficient authorization vulnerability where a remote client is able to access sensitive administrative resources on the SharePoint site. 

How: Microsoft Office SharePoint Server 2007 uses specific URLs to manage SSP-level scopes. For example:

SharePoint properly applies authentication and authorization mechanisms to the /SSP/Admin/_layouts/ resources. The vulnerability corrected in MS08-077 is that these authorization controls are not applied if a client passes the “mode=ssp” parameter to other administrative SharePoint URLs.

Impact: The impact of a successful attack could lead to elevation of privilege and result in denial of service or information disclosure.

Risk: Due to the business critical nature of SharePoint systems, coupled with the typical time lag of implementing system patches from vendors, Breach Security Labs has labeled the severity for SharePoint web sites as HIGH.

Resolution:

Deploy a Web Application Firewall

Breach Security fully recommends that organizations continue normal vendor patching processes, however it should not be the only mitigation option. Fortunately, Breach Security’s web application firewalls already offer continuous protection by detecting and blocking hacks before they can reach the web application. 

WebDefend customers are proactively protected from attempts to exploit this vulnerability by the positive security profile that is automatically created by the Adaption learning system. In this particular case, Adaption would have already created a profile of the expected parameter names/values for the SharePoint server. If an attacker tried to add the “mode=ssp” parameter to other resources, it would be identified and blocked (if blocking actions are set for the relevant events within the Policy Manager).

ModSecurity Pro M1100 and open-source ModSecurity customers running vulnerable versions of SharePoint and who would like to implement a more targeted remediation for this specific vulnerability may implement the following virtual patch:

Customers may contact the Breach Security Services Team and receive a assistance with implementing this virtual patch as part of their normal support contract.

Regardless of which Breach Security product used, customers should verify their security settings to ensure the appropriate prevention mechanisms are active, specifically that the appliances are configured in a “Blocking” mode for these attacks.

Implement the proper SharePoint Cumulative Update for October 2008 from Microsoft

SharePoint users should download, test and install the proper patches from Microsoft.

Contact: For more information on this alert, please email support@breach.com.