CVE-2020-1200
📋 TL;DR
This is a remote code execution vulnerability in Microsoft SharePoint that allows attackers to run arbitrary code by uploading a specially crafted application package. It affects SharePoint servers where users can upload packages, potentially compromising the entire SharePoint farm.
💻 Affected Systems
- Microsoft SharePoint Server
- Microsoft SharePoint Foundation
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of SharePoint farm, data exfiltration, lateral movement to other systems, and persistent backdoor installation.
Likely Case
Unauthorized access to SharePoint data, privilege escalation within SharePoint environment, and potential server compromise.
If Mitigated
Limited to authenticated user access only, with proper upload restrictions and monitoring in place.
🎯 Exploit Status
Exploitation requires authenticated user access to upload malicious packages. Public exploit code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security updates for SharePoint 2010-2019 released in May 2020
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1200
Restart Required: Yes
Instructions:
1. Download appropriate security update from Microsoft Update Catalog. 2. Apply update to all SharePoint servers in farm. 3. Run SharePoint configuration wizard. 4. Restart servers as required.
🔧 Temporary Workarounds
Disable SharePoint application package uploads
windowsRestrict or disable the ability to upload SharePoint application packages (.app files)
Use SharePoint Central Administration or PowerShell to modify upload permissions
Implement strict upload validation
windowsAdd additional validation layers for all uploaded SharePoint packages
Implement custom validation in SharePoint solution gallery settings
🧯 If You Can't Patch
- Implement strict access controls on SharePoint upload functionality
- Deploy network segmentation and monitor for suspicious upload activities
🔍 How to Verify
Check if Vulnerable:
Check SharePoint version and compare against patched versions. Verify if application package upload functionality is enabled.Check Version:
Get-SPFarm | Select BuildVersionVerify Fix Applied:
Verify SharePoint build number matches patched version from Microsoft advisory. Test upload functionality with safe packages.📡 Detection & Monitoring
Log Indicators:
- Unusual .app file uploads
- Failed package validation attempts
- Suspicious PowerShell execution from SharePoint processes
Network Indicators:
- Unusual outbound connections from SharePoint servers
- Large file uploads to SharePoint application galleries
SIEM Query:
source="sharepoint_logs" AND (file_extension=".app" OR process="powershell") AND user_action="upload"