CVE-2021-34467 – This vulnerability allows an authenticated atta... (How to Fix)

Q: What is the severity of CVE-2021-34467?

CVE-2021-34467 has a CVSS score of 7.1 (HIGH). This vulnerability allows an authenticated attacker with SharePoint permissions to execute arbitrary code on affected SharePoint servers. It affects Microsoft SharePoint Server installations where an attacker can upload specially crafted files.

📋 TL;DR

This vulnerability allows an authenticated attacker with SharePoint permissions to execute arbitrary code on affected SharePoint servers. It affects Microsoft SharePoint Server installations where an attacker can upload specially crafted files.

💻 Affected Systems

Products:

Microsoft SharePoint Server
Microsoft SharePoint Foundation

Versions: 2013, 2016, 2019

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with permissions to upload files to SharePoint

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of SharePoint server leading to data theft, lateral movement, and persistent backdoor installation

🟠

Likely Case

Unauthorized file upload leading to remote code execution within SharePoint application context

🟢

If Mitigated

Limited impact with proper network segmentation, least privilege access, and file upload restrictions

🌐 Internet-Facing: HIGH if SharePoint is exposed to internet without proper authentication and file upload controls

🏢 Internal Only: MEDIUM as it requires authenticated access but could be exploited by malicious insiders or compromised accounts

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authentication and specific file upload capabilities

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2021 security updates

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34467

Restart Required: Yes

Instructions:

1. Apply July 2021 security updates for SharePoint Server 2. Restart SharePoint services 3. Verify patch installation through Windows Update or manual installation

🔧 Temporary Workarounds

Restrict file upload permissions

all

Limit file upload capabilities to trusted users only and implement file type restrictions

Network segmentation

all

Isolate SharePoint servers from critical infrastructure and implement strict firewall rules

🧯 If You Can't Patch

Implement strict file upload validation and scanning
Enable enhanced logging and monitoring for file upload activities

🔍 How to Verify

Check if Vulnerable:

Check SharePoint version and verify if July 2021 security updates are installed

Check Version:

Get-SPFarm | Select BuildVersion (PowerShell) or check Central Administration > Upgrade and Migration > Check product and patch installation status

Verify Fix Applied:

Verify patch installation through Windows Update history or SharePoint Central Administration

📡 Detection & Monitoring

Log Indicators:

Unusual file upload patterns
Large number of file upload attempts
Suspicious file types being uploaded

Network Indicators:

Unusual outbound connections from SharePoint servers
Unexpected PowerShell or command execution traffic

SIEM Query:

source="sharepoint" AND (event_id=6398 OR event_id=6399) AND file_extension IN ("aspx", "ashx", "asmx")

📊 Metadata

CVE ID: CVE-2021-34467

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Published: July 16, 2021

Last Updated: November 21, 2024

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34467 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34467 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON