CVE-2021-36940
📋 TL;DR
This vulnerability allows an authenticated attacker to spoof content in Microsoft SharePoint Server, potentially tricking users into interacting with malicious content. It affects organizations running vulnerable SharePoint Server versions. The attacker must have authenticated access to SharePoint to exploit this vulnerability.
💻 Affected Systems
- Microsoft SharePoint Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could spoof legitimate SharePoint content to trick users into revealing credentials, downloading malware, or performing unauthorized actions while appearing to interact with trusted SharePoint resources.
Likely Case
Phishing attacks within SharePoint where attackers create convincing spoofed pages to harvest credentials or distribute malware to authenticated users.
If Mitigated
With proper access controls and user awareness training, the impact is limited to potential confusion or minor social engineering attempts within the SharePoint environment.
🎯 Exploit Status
Exploitation requires authenticated access to SharePoint. The spoofing technique is relatively straightforward once an attacker has valid credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security updates released in August 2021 for SharePoint Server 2019, 2016, and 2013 SP1
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36940
Restart Required: Yes
Instructions:
1. Download the appropriate security update from Microsoft Update Catalog. 2. Apply the update to all affected SharePoint servers. 3. Restart the SharePoint servers as required. 4. Test SharePoint functionality after patching.
🔧 Temporary Workarounds
Restrict SharePoint Access
allLimit SharePoint access to only necessary users and implement principle of least privilege.
User Awareness Training
allTrain users to verify SharePoint URLs and be cautious of unexpected content changes.
🧯 If You Can't Patch
- Implement strict access controls and monitor for unusual SharePoint content modifications
- Deploy web application firewall rules to detect and block spoofing attempts
🔍 How to Verify
Check if Vulnerable:
Check SharePoint Server version and compare against patched versions. Vulnerable versions include SharePoint Server 2019, 2016, and 2013 SP1 without August 2021 security updates.Check Version:
Get-SPFarm | Select BuildVersion (PowerShell on SharePoint server)Verify Fix Applied:
Verify that August 2021 security updates for SharePoint are installed and check that spoofing attempts are no longer successful.📡 Detection & Monitoring
Log Indicators:
- Unusual content creation/modification patterns in SharePoint logs
- Multiple failed authentication attempts followed by content changes
Network Indicators:
- Unusual traffic patterns to SharePoint content pages
- Requests that appear to manipulate SharePoint content parameters
SIEM Query:
source="SharePoint" AND (event_type="content_modified" OR event_type="page_created") AND user NOT IN [authorized_users]