Recently, a new SharePoint remote code execution vulnerability (CVE-2020-16952) has been detected in SharePoint products that allow attackers to run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.
In this post, we’ll show what’re the actions required by SharePoint Administrators to resolve SharePoint Remote Code Execution Vulnerability and prevent attackers to exploit this RCE vulnerability by installing the important SharePoint Security Updates for each affected SharePoint version.
-
1
What’s SharePoint Remote Code Execution Vulnerability?
- 1.1 What’re the affected SharePoint Versions?
- 1.2 Resolve SharePoint Remote Code Execution Vulnerability
- 2 Patching SharePoint Farm Considerations
You might also like to read Patching SharePoint Farm Considerations.
Briefly, the remote code execution (RCE) is the ability to access and controlling a computer/server to run malicious software by attackers remotely.
Below is the list of the SharePoint versions that have been affected by SharePoint Remote Code Execution Vulnerability (CVE-2020-16952).
- SharePoint 2019.
- SharePoint 2016 Enterprise Edition.
- SharePoint 2013 with Service Pack 1.
- SharePoint Foundation 2013 with Service Pack 1.
Note: it’s strongly recommended to immediately patch your farm with the corresponding SharePoint security update based on your SharePoint version to resolve this SharePoint Remote Code Execution Vulnerability.
To avoid the exploitation of this SharePoint Remote Code Execution Vulnerability (CVE-2020-16952), Microsoft has provided SharePoint Security Updates for each affected SharePoint versions as the following:
This SharePoint security update mainly resolves RCE vulnerabilities in SharePoint 2019 that could allow remote code execution if a user opens a specially crafted Office file.
Prerequisites
You must have SharePoint Server 2019 installed to apply this SharePoint Security update.
If you have already turned on the automatic Microsoft update, this update will be downloaded and installed automatically.
In this case, you just will need to schedule to run the SharePoint configuration wizard on each SharePoint Server cross the farm to apply this security update.
If the automatic Microsoft update is turned off, so you will need to do the following:
- Download Security Update for Microsoft SharePoint Server 2019 Core (KB4486676).
- Copy the downloaded file on all SharePoint Servers within the farm.
- Install the downloaded file on all SharePoint Servers within the farm.
- Finally, run the SharePoint configuration wizard on each SharePoint server cross the farm to apply the security update.
This SharePoint security update mainly resolves RCE vulnerabilities in SharePoint 2016 enterprise edition that could allow remote code execution if a user opens a specially crafted Office file.
Prerequisites
You must have SharePoint Server 2016 Enterprise Edition installed to apply this SharePoint Security update.
Again, If you have already turned on the automatic Microsoft update, this update will be downloaded and installed automatically.
In this case, you just will need to schedule to run the SharePoint configuration wizard on each SharePoint Server cross the farm to apply this security update.
If the automatic Microsoft update is turned off, so you will need to do the following:
- Download Security Update for Microsoft SharePoint Enterprise Server 2016 (KB4486677).
- Copy the downloaded file on all SharePoint Servers within the farm.
- Install the downloaded file on all SharePoint Servers within the farm.
- Finally, run the SharePoint configuration wizard on each SharePoint server cross the farm to apply the security update.
Note: In SharePoint 2016, running the SharePoint Configuration Wizard will require downtime if you don’t have high availability farm.
This SharePoint security update mainly resolves RCE vulnerabilities that exist in Microsoft Excel software if the software does not correctly handle objects in memory.
Prerequisites
You must have SharePoint Server 2013 Enterprise Edition with Service Pack 1 installed to apply this SharePoint Security update.
Again, If you have already turned on the automatic Microsoft update, this update will be downloaded and installed automatically.
In this case, you just will need to schedule to run the SharePoint configuration wizard on each SharePoint Server cross the farm to apply this security update.
If the automatic Microsoft update is turned off, so you will need to do the following:
- Download Security Update for Microsoft SharePoint Enterprise Server 2013 (KB4486687).
- Copy the downloaded file on all SharePoint Servers within the farm.
- Install the downloaded file on all SharePoint Servers within the farm.
- Finally, run the SharePoint configuration wizard on each SharePoint server cross the farm to apply the security update.
Note: In SharePoint 2013, running the SharePoint Configuration Wizard requires downtime even you have high availability farm.
This SharePoint security update mainly resolves RCE vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file.
Prerequisites
You must have SharePoint Foundation 2013 installed to apply this SharePoint Security update.
Again, If you have already turned on the automatic Microsoft update, this update will be downloaded and installed automatically.
In this case, you just will need to schedule to run the SharePoint configuration wizard on each SharePoint Server cross the farm to apply this security update.
If the automatic Microsoft update is turned off, so you will need to do the following:
- Download Security Update for Microsoft SharePoint Foundation 2013 (KB4486694).
- Copy the downloaded file on all SharePoint Servers within the farm.
- Install the downloaded file on all SharePoint Servers within the farm.
- Finally, run the SharePoint configuration wizard on each SharePoint server cross the farm to apply the security update.
Below, we’ll list some of the important considerations that you should be aware when decide to apply and a new cumulative or security update in your SharePoint farm:
- It’s strongly recommended to install and test the SharePoint update on the dev/test environment before going ahead to install it on the production environment.
- You can’t rollback or uninstall the SharePoint Cumulative Update Installation. so before applying a new cumulative update, It’s strongly recommended to perform a full backup before starting the update process:
- At least you need to perform a backup for the following:
- Content Databases
- Your customization.
- Back up farm configuration by running Backup-SPFarm -ConfigurationOnly.
- At least you need to perform a backup for the following:
- Hot snapshots for virtual machines are NOT supported.
- Only cold snapshots that taken when all virtual machines are shut down are supported.
- The latest security updates should be installed as soon as possible after they have been released.
- After installing the SharePoint security updates, you should plan to run the SharePoint configuration wizard on all SharePoint Servers to apply the new fixes.
- It’s recommended to run first the configuration wizard on the SharePoint server that hosts the central administration.
- It’s also recommended to install non-security updates that will solve a specific issue in your farm by checking the improvements and issues that should be fixed section.
Note: the non-security updates shouldn’t be older than one year even you don’t have an issue with your farm, in our case, we are planning to install it every quarter but and it mainly depends on your company policy but in the end, it shouldn’t be older than one year
- It’s not recommended to apply the latest Cumulative Update that released in the current month.
- In SharePoint 2013 and SharePoint 2016 (Without High Availability), you should know that the update process requires downtime, so you should schedule a new RFC with an outage to apply a new patch.
- Zero downtime patching is only supported in SharePoint 2016 and 2019 with a High Availability environment.
- Installing a new language pack requires installing the current installed monthly update again.
In SharePoint 2019 and 2016 only language-dependent fix must be installed again.
- In SharePoint 2016, each SharePoint installation comes with a language-independent and a language-dependent component. Therefore, It is required to install both (language-independent – language-dependent) fixes to fully patch a SharePoint server (Sequence doesn’t matter)!
- In SharePoint 2013, SharePoint Server 2013 SP1 is a prerequisite to installing all the coming cumulative updates.
- The SharePoint Server 2013 Service Pack 1 does not include the Language pack Service Pack 1, So you should apply Language pack Service Pack 1 separately after applying SharePoint Server 2013 Service Pack 1 to avoid this error. The expected version of the product was not found on the system.
- In SharePoint 2013, the farm with a cumulative update older than April 2018 is not supported.
- SharePoint patching sometimes can take several hours, so try to reduce the update time by checking SharePoint 2013 Cumulative Update takes a long time to install.
The SharePoint should be updated through the below three steps:
- Download and Install the package update like CU, Service Pack, PU …etc.
- Run the SharePoint Configuration Wizard to apply the installed patches on all SharePoint Server cross the farm.
- Check Upgrade Status.
Regarding the Security update, If you have already turned on the automatic Microsoft update, the update will be downloaded and installed automatically. In this case, you just will need to schedule to run the SharePoint configuration wizard on each SharePoint Server cross the farm to apply this security update.
To apply the installed SharePoint patches, you must run SharePoint Configuration Wizard on all SharePoint Server cross the farm by doing the following:
You must remove WSS_Logging database from the Availability Group before running SharePoint Configuration Wizard.
For more details, Please check , The operation cannot be performed on database because it is involved in a database mirroring
Steps
- Log in to the main application server that hosts the Central Administration with a Farm account.
- Go to Start menu > Type SharePoint Configuration Wizard.
- In step 9, you will note that it’s performing an upgrade to SharePoint Products.
- Repeat all the previous steps on all SharePoint servers in the farm.
Start to run the SharePoint Configuration Wizard on the main application server that hosts the central administration. then continue with other servers without considering the order.
For more details check Health Analyzer Issue: Product/patch installation or server upgrade required.
In some cases, you may need to run SharePoint Configuration Wizard with specific parameters, in this case, you should use PowerShell as the following:
Steps
- Log in to the main application server with a Farm account.
- Open SharePoint Management Shell as Administrator.
- Run the following PSConfig.exe command
PSConfig.exe -cmd upgrade -inplace b2b -force -cmd applicationcontent -install -cmd installfeatures
- Repeat all the previous steps on all SharePoint servers in the farm.
Once the SharePoint Configuration Wizard is finished successfully on each SharePoint Server cross the farm, you should check SharePoint Upgrade Status by doing the following:
Steps
- Go back to the Central Administration > Upgrade and Migration > Check upgrade status.
- Ensure that the status of each server is succeeded.
Recall: you can’t rollback the Cumulative Update installation, and
– If the previous upgrade attempt has failed, you must resolve upgrade issues before proceeding to apply a new upgrade.
– If the upgrade process failed, you should check the logs and try to solve the root cause of the failure. In the worth case, you don’t have other options rather than restoring the farm backup.
In SharePoint 2016, each SharePoint installation comes with a language-independent and a language-dependent component. Therefore, It is required to install both (language-independent – language-dependent) fixes to fully patch a SharePoint server!
So to install new Cumulative Update in SharePoint 2016, you should do the following:
First, In any case (Only SharePoint 2016 or SharePoint 2016 with Language Pack), you must do the following:
- It’s mandatory to install both (language-independent – language-dependent) fixes, the sequence does not matter!
- After installing both fixes, you must run the Sharepoint Configuration Wizard on all SharePoint servers cross the farm to apply the installed fixes!
To install a new Language Pack later on SharePoint 2016 farm that already patched with a specific CU, you should do the following:
- Install the new Language Pack.
- Install the language-dependent fix of the current CU installed again!!
- Run the Sharepoint Configuration Wizard on all SharePoint Servers within the farm.
Note: If additional language packs are added later, you will ONLY need to apply the language dependent fix again.
- Zero downtime patching requires the high-availability of each server role at least two servers per role is required.
- There is no zero downtime patching on a single server farm.
- The Zero patching is introduced only in SharePoint 2016, the SharePoint 2013 does not support the Zero downtime patching.
Conclusion
In conclusion, as a SharePoint Administrator, you must immediately patch your farm with the corresponding SharePoint security update based on your SharePoint version to resolve this SharePoint Remote Code Execution Vulnerability.
Applied To
- SharePoint 2019.
- SharePoint 2016.
- SharePoint 2013.
See Also
Read more about the improvements and fixes for each security update at