Nothing to see here – in Microsoft Land – Portswigger has the story:
Apparently there is a feature in Microsoft Office Online Server that causes a Remote Code Execution(RCE) vulnerability. After hackers use a SSRF (Server Side Request forgery) attack, they can attack the systems with RCE.
When Microsoft was told about this vulnerability they said this is how the software is supposed to work?? It is a feature not a bug.
But to deny the vulnerability one has to configure the server:
“Administrators can also set the service’s OpenFromUNCEnabled flag to false to prevent access to files through UNC paths, which is the feature used to attack the server.”
This is like the Gordian Knot Of Alexander the great fame where there was a complicated and impossible to untangle knot which Alexander was able to just slice through it (which no one had thought of before).
Our modern day computer systems have a Microsoft Knot which we have to figure out because it can look like a large entanglement
The Microsoft Office Online server has a knot that you need to figure out.
A SSRF attack is used to get a foothold on the system – where a RCE vulnerability then allows the hacker to install software they want to keep control of the system.
More details from portswigger:
“Office Online has a .aspx page for retrieving documents from remote resources. Attackers can use this endpoint to initiate connections to remote resources through the server and perform SSRF, according to a technical write-up from security firm MDSec.”
And don’t forget last weeks post – with the
Patching and Upgrading is Good Right? Hackers Take advantage of Updates!
That was another Microsoft Knot – So how do we solve these things? When sometimes we do not even know what Microsoft throws at us?
The Gordian knot is a perfect metaphor as the computer has a problem that is very tricky to unwind -but not impossible.
These 2 issues(the OOS and the vulnerable driver issue) got me thinking about the unique risks a Microsoft environment has – like an exchange server and the active directory environment(which controls the desktop an how it communicates with the network server). Updating your systems is not the only actions a cyber defense must accomplish as one must perform more configuration and audits to ensure the environment is safe as can be.
Develop a defense in depth strategy where you do not just depend on Microsoft products. One has to have multiple methods, a next gen firewall, white listing apps which only allow programs listed to run on the environment. Of course a decent anti-virus program is also a must.
Get my book to get started.