Last year Microsoft released security hotfixes to remove some vulnerabilities from a SharePoint farm and it is critical SharePoint administrators install these hotfixes immediately in all SharePoint farms. The Microsoft Security Response Center articles provide links to the specific security hotfixes or alternatively, the hotfixes are included in the latest Cumulative Updates (CU) for these products. See SharePoint Updates for links to download a CU.
A Brief SharePoint Update Refresher
When installing SharePoint updates, there are two steps that must be performed on every server in the farm running SharePoint:
- Install the update by running the executable or installation package. Reboot if prompted.
- Run the SharePoint Products and Configuration Wizard on each server in the farm, ensuring it completes successfully. If it fails, review the upgrade logs and troubleshoot as necessary.
These vulnerabilities provide a way for an attacker to run code on a SharePoint server as the farm account. In most SharePoint farms the farm account has access (or can gain access) to all content stored in the farm so the impact of these vulnerabilities is considerable for organizations using SharePoint to store records, proprietary information, and personal data.
In April 2019, the Canadian Centre for Cyber Security issued an alert advising SharePoint administrators to patch their SharePoint farms because these vulnerabilities were being exploited to run the China Chopper Web Shell, an easy-to-use interface for connecting to and running code on a compromised machine. See China Chopper Malware affecting SharePoint Servers. Besides SharePoint, this web shell affects web servers running ASPX, ASP, PHP, JSP, and CFM running on Windows and Linux. The server-side code is small at under 100 bytes so it can be easy to miss, but there are methods to detect it.
5 Key Security Tips
- Ensure SharePoint service accounts (farm, web application pools, service application pools, crawl accounts, etc.) are NOT local machine administrators on any machine in the domain including the SharePoint and SQL Servers in the farm.
- Keep SharePoint up to date by installing Cumulative Updates every month. Install security hotfixes ASAP after release.
- Only publish SharePoint sites externally if there is a clear business reason to do so, and when publishing use a reverse proxy to control access to the published sites.
- Use HTTPS and certificates to encrypt connections to the SharePoint servers.
- Keep server-level antivirus systems up-to-date and use a SharePoint antivirus solution to ensure content is scanned when uploaded and downloaded. (source)
We work for your security