SharePoint Remote Code Execution Vulnerability

SharePoint Remote Code Execution Vulnerability Fixes

Recently, a new SharePoint remote code execution vulnerability (CVE-2020-16952) has been detected in SharePoint products that allow attackers to run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.

In this post, we’ll show what’re the actions required by SharePoint Administrators to resolve SharePoint Remote Code Execution Vulnerability and prevent attackers to exploit this RCE vulnerability by installing the important SharePoint Security Updates for each affected SharePoint version.

You might also like to read Patching SharePoint Farm Considerations.


What’s SharePoint Remote Code Execution Vulnerability?

Briefly, the remote code execution (RCE) is the ability to access and controlling a computer/server to run malicious software by attackers remotely.

What’re the affected SharePoint Versions?

Below is the list of the SharePoint versions that have been affected by SharePoint Remote Code Execution Vulnerability (CVE-2020-16952).

  • SharePoint 2019.
  • SharePoint 2016 Enterprise Edition.
  • SharePoint 2013 with Service Pack 1.
  • SharePoint Foundation 2013 with Service Pack 1.

Note: it’s strongly recommended to immediately patch your farm with the corresponding SharePoint security update based on your SharePoint version to resolve this SharePoint Remote Code Execution Vulnerability.

Resolve SharePoint Remote Code Execution Vulnerability

To avoid the exploitation of this SharePoint Remote Code Execution Vulnerability (CVE-2020-16952), Microsoft has provided SharePoint Security Updates for each affected SharePoint versions as the following:

SharePoint 2019 Security Update (KB4486676)

This SharePoint security update mainly resolves RCE vulnerabilities in SharePoint 2019 that could allow remote code execution if a user opens a specially crafted Office file.

Prerequisites

You must have SharePoint Server 2019 installed to apply this SharePoint Security update.

Download and Apply SharePoint Security Update

If you have already turned on the automatic Microsoft update, this update will be downloaded and installed automatically.
In this case, you just will need to schedule to run the SharePoint configuration wizard on each SharePoint Server cross the farm to apply this security update.

If the automatic Microsoft update is turned off, so you will need to do the following:

Run SharePoint Configuration Wizard

SharePoint Enterprise 2016 Security Update (KB4486677)

This SharePoint security update mainly resolves RCE vulnerabilities in SharePoint 2016 enterprise edition that could allow remote code execution if a user opens a specially crafted Office file.

Prerequisites

You must have SharePoint Server 2016 Enterprise Edition installed to apply this SharePoint Security update.

Download and Apply SharePoint Security Update

Again, If you have already turned on the automatic Microsoft update, this update will be downloaded and installed automatically.
In this case, you just will need to schedule to run the SharePoint configuration wizard on each SharePoint Server cross the farm to apply this security update.

If the automatic Microsoft update is turned off, so you will need to do the following:

Note: In SharePoint 2016, running the SharePoint Configuration Wizard will require downtime if you don’t have high availability farm.


SharePoint Enterprise 2013 Security Update (KB4486687)

This SharePoint security update mainly resolves RCE vulnerabilities that exist in Microsoft Excel software if the software does not correctly handle objects in memory.

Prerequisites

You must have SharePoint Server 2013 Enterprise Edition with Service Pack 1 installed to apply this SharePoint Security update.

Download and Apply SharePoint Security Update

Again, If you have already turned on the automatic Microsoft update, this update will be downloaded and installed automatically.
In this case, you just will need to schedule to run the SharePoint configuration wizard on each SharePoint Server cross the farm to apply this security update.

If the automatic Microsoft update is turned off, so you will need to do the following:

Note: In SharePoint 2013, running the SharePoint Configuration Wizard requires downtime even you have high availability farm.

SharePoint Foundation 2013 Security Update (KB4486694)

This SharePoint security update mainly resolves RCE vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file.

Prerequisites

You must have SharePoint Foundation 2013 installed to apply this SharePoint Security update.

Download and Apply SharePoint Security Update

Again, If you have already turned on the automatic Microsoft update, this update will be downloaded and installed automatically.
In this case, you just will need to schedule to run the SharePoint configuration wizard on each SharePoint Server cross the farm to apply this security update.

If the automatic Microsoft update is turned off, so you will need to do the following:


Patching SharePoint Farm Considerations

Below, we’ll list some of the important considerations that you should be aware when decide to apply and a new cumulative or security update in your SharePoint farm:

  • It’s strongly recommended to install and test the SharePoint update on the dev/test environment before going ahead to install it on the production environment.
  • You can’t rollback or uninstall the SharePoint Cumulative Update Installation. so before applying a new cumulative update, It’s strongly recommended to perform a full backup before starting the update process:
    • At least you need to perform a backup for the following:
      • Content Databases
      • Your customization.
      • Back up farm configuration by running Backup-SPFarm -ConfigurationOnly.
  • Hot snapshots for virtual machines are NOT supported.
  • Only cold snapshots that taken when all virtual machines are shut down are supported.
  • The latest security updates should be installed as soon as possible after they have been released.
  • After installing the SharePoint security updates, you should plan to run the SharePoint configuration wizard on all SharePoint Servers to apply the new fixes.
  • It’s recommended to run first the configuration wizard on the SharePoint server that hosts the central administration.
  • It’s also recommended to install non-security updates that will solve a specific issue in your farm by checking the improvements and issues that should be fixed section.

Note: the non-security updates shouldn’t be older than one year even you don’t have an issue with your farm, in our case, we are planning to install it every quarter but and it mainly depends on your company policy but in the end, it shouldn’t be older than one year

  • It’s not recommended to apply the latest Cumulative Update that released in the current month.
  • In SharePoint 2013 and SharePoint 2016 (Without High Availability), you should know that the update process requires downtime, so you should schedule a new RFC with an outage to apply a new patch.
  • Zero downtime patching is only supported in SharePoint 2016 and 2019 with a High Availability environment.
  • Installing a new language pack requires installing the current installed monthly update again.

In SharePoint 2019 and 2016 only language-dependent fix must be installed again.


Install new Update for a SharePoint Farm

The SharePoint should be updated through the below three steps:

  1. Download and Install the package update like CU, Service Pack, PU …etc.
  2. Run the SharePoint Configuration Wizard to apply the installed patches on all SharePoint Server cross the farm.
  3. Check Upgrade Status.

Regarding the Security update, If you have already turned on the automatic Microsoft update, the update will be downloaded and installed automatically. In this case, you just will need to schedule to run the SharePoint configuration wizard on each SharePoint Server cross the farm to apply this security update.

Run SharePoint Configuration Wizard via PSConfigUI.exe

To apply the installed SharePoint patches, you must run SharePoint Configuration Wizard on all SharePoint Server cross the farm by doing the following:

You must remove WSS_Logging database from the Availability Group before running SharePoint Configuration Wizard.

For more details, Please check , The operation cannot be performed on database because it is involved in a database mirroring
Steps
  • Log in to the main application server that hosts the Central Administration with a Farm account.
  • Go to Start menu > Type SharePoint Configuration Wizard.
Open SharePoint 2016 Configuration Wizard
Run SharePoint Configuration Wizard
  • In step 9, you will note that it’s performing an upgrade to SharePoint Products.
Configure SharePoint Products
  • Repeat all the previous steps on all SharePoint servers in the farm.

Start to run the SharePoint Configuration Wizard on the main application server that hosts the central administration. then continue with other servers without considering the order.

For more details check Health Analyzer Issue: Product/patch installation or server upgrade required.

Run SharePoint Configuration Wizard using PowerShell

In some cases, you may need to run SharePoint Configuration Wizard with specific parameters, in this case, you should use PowerShell as the following:

Steps
  • Log in to the main application server with a Farm account.
  • Open SharePoint Management Shell as Administrator.
Run SharePoint Management Shell as Administrator
  • Run the following PSConfig.exe command
PSConfig.exe -cmd upgrade -inplace b2b -force -cmd applicationcontent -install -cmd installfeatures
  • Repeat all the previous steps on all SharePoint servers in the farm.

Check SharePoint Upgrade and Migration Status

Once the SharePoint Configuration Wizard is finished successfully on each SharePoint Server cross the farm, you should check SharePoint Upgrade Status by doing the following:

Steps
  • Go back to the Central Administration > Upgrade and Migration > Check upgrade status.
Check SharePoint Upgrade Status
  • Ensure that the status of each server is succeeded.
Check Upgrade Status details successd

Recall: you can’t rollback the Cumulative Update installation, and

– If the previous upgrade attempt has failed, you must resolve upgrade issues before proceeding to apply a new upgrade.

– If the upgrade process failed, you should check the logs and try to solve the root cause of the failure. In the worth case, you don’t have other options rather than restoring the farm backup.


Install new Cumulative Update in SharePoint 2016/2019

In SharePoint 2016, each SharePoint installation comes with a language-independent and a language-dependent component. Therefore, It is required to install both (language-independent – language-dependent) fixes to fully patch a SharePoint server!

So to install new Cumulative Update in SharePoint 2016, you should do the following:

Apply new CU in SharePoint 2016/2019

First, In any case (Only SharePoint 2016 or SharePoint 2016 with Language Pack), you must do the following:

  • It’s mandatory to install both (language-independent – language-dependent) fixes, the sequence does not matter!
  • After installing both fixes, you must run the Sharepoint Configuration Wizard on all SharePoint servers cross the farm to apply the installed fixes!

Install Language Pack in SharePoint 2016/2019

To install a new Language Pack later on SharePoint 2016 farm that already patched with a specific CU, you should do the following:

  • Install the new Language Pack.
  • Install the language-dependent fix of the current CU installed again!!
  • Run the Sharepoint Configuration Wizard on all SharePoint Servers within the farm.

Note: If additional language packs are added later, you will ONLY need to apply the language dependent fix again.

Zero Downtime in SharePoint 2016/2019

  • Zero downtime patching requires the high-availability of each server role at least two servers per role is required.
  • There is no zero downtime patching on a single server farm.
  • The Zero patching is introduced only in SharePoint 2016, the SharePoint 2013 does not support the Zero downtime patching.

Conclusion

In conclusion, as a SharePoint Administrator, you must immediately patch your farm with the corresponding SharePoint security update based on your SharePoint version to resolve this SharePoint Remote Code Execution Vulnerability.

Applied To
  • SharePoint 2019.
  • SharePoint 2016.
  • SharePoint 2013.
See Also

Read more about the improvements and fixes for each security update at

Leave a Reply