Recommendations
Identify and patch vulnerable SharePoint servers
Organisations are strongly encouraged to apply the latest SharePoint patches available from Microsoft.
Investigate for evidence of exploitation
Organisations are strongly encouraged to engage their ICT team or provider and review their environments for evidence of the malicious activity outlined below.
Organisations should analyse SharePoint directories for any indications of the presence of web shells and other malicious files, particularly the Layouts folder. By default, the Layouts folder is located at the following path, depending on the SharePoint version:
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\<version_number>\Template\Layouts
In order to identify potential web shells organisations should review and implement the guidance outlined in Detect and Prevent Web Shell Malware.
Organisations are also recommend to review web server logs, and other relevant sources of logging, for the following items which could indicate malicious activity associated with exploitation of this SharePoint vulnerable.
Review HTTP POST requests to the following resources required to successfully exploit the CVE-2019-0604 vulnerability:
Picker.aspx?PickDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog
Picker.aspx?PickDialogType=Microsoft.SharePoint.Portal.WebControls.ItemPickerDialog
Implement complementary security controls and/or transfer risk
The ACSC strongly recommends the implementation of the ASD Essential 8 mitigations to mitigate threats to internet-facing systems. Specifically for this vulnerability, maintaining a regular patch process and validating the application of patches reduces the risk of exploitation and is an essential part of a mature cyber program.
To limit the extent of cyber security incidents related to compromise of web servers, organisations should segment and segregate internet-facing servers whenever possible. Methods of network segmentation for a web server may include:
- move the web server to an appropriate network segment (e.g. a DMZ) for the environment
- move the web application to an externally-hosted server (e.g. within a cloud hosted environment).
The following controls should be applied to externally-facing servers, whether DMZ or cloud-based, to limit trust and data movement into the internal network. These controls will include:
- Apply host segregation by only allowing specified communications between servers where required and over specific protocols. Additional considerations and limitations should be applied to communications between the server and network internal segments.
- Internal authentication credentials should be protected from externally-facing servers. Do not use or store internal segment credentials on externally-facing servers.
- An additional protection for web servers is the removal of impersonate privileges from service accounts that do not require this privilege. Note: This will need testing as some service accounts may require this privilege.
Additionally, logging on externally-facing servers (both operating system and application logs) should capture the appropriate events to enable a security team to effectively monitor for compromise. The logs should be centralised and continuously monitored for signs of anomalous activity.
Incident reporting
If you have questions about this advice or have indications that your environment has been compromised, contact the ACSC by emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).