SRC-2022-0004 : Microsoft SharePoint Server SPWebRequest SafeCreate TOCTOU DNS Rebinding Security Feature Bypass Vulnerability

CVE ID: CVE-2022-21968

CVSS Score: 4.3, (/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Vendors: Microsoft

Affected Products: SharePoint Server

Vulnerability Details: This vulnerability allows remote attackers to disclose bypass access IP restrictions on affected installations of Microsoft SharePoint Server. Authentication is required to exploit this vulnerability. The specific flaw exists within the SPWebRequest SafeCreate API. The issue results from a time-of-check-time-of-use when requesting ip addresses from DNS servers. An attacker can leverage this vulnerability to bypass IP restrictions when performing server-side request forgery attacks.

Vendor Response:

Microsoft has issued an update to correct this vulnerability. More details can be found at: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21968

Disclosure Timeline:

  • 2020-09-19 – Sent to Microsoft

  • 2022-02-08 – Coordinated public release of advisory

Credit: This vulnerability was discovered by Yuhao Weng and Zhiniang Peng of Sangfor, Steven Seeley (mr_me) of Qihoo 360 Vulnerabilty Research Institute