Microsoft Security Bulletin MS13-030 - Important
Vulnerability in SharePoint Could Allow Information Disclosure (2827663)
Published: April 09, 2013
This security update resolves a publicly disclosed vulnerability in Microsoft SharePoint Server. The vulnerability could allow information disclosure if an attacker determined the address or location of a specific SharePoint list and gained access to the SharePoint site where the list is maintained. The attacker would need to be able to satisfy the SharePoint site's authentication requests to exploit this vulnerability.
This security update is rated Important for all supported editions of Microsoft SharePoint Server 2013. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerability by correcting the default access controls applied to the SharePoint list. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Customers can configure automatic updating to check online for updates from Microsoft Update by using the Microsoft Update service. Customers who have automatic updating enabled and configured to check online for updates from Microsoft Update typically will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates from Microsoft Update and install this update manually. For information about specific configuration options in automatic updating in supported editions of Windows XP and Windows Server 2003, see Microsoft Knowledge Base Article 294871. For information about automatic updating in supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, see Understanding Windows automatic updating.
For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update at the earliest opportunity using update management software, or by checking for updates using the Microsoft Update service.
See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.
Knowledge Base Article
|Knowledge Base Article||2827663|
Affected and Non-Affected Software
The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.
Microsoft Server Software
|Software||Update Package||Maximum Security Impact||Aggregate Severity Rating||Updates Replaced|
|Microsoft SharePoint Server|
|Microsoft SharePoint Server 2013||Microsoft SharePoint Server 2013 (coreserverloc) (2737969)||Information Disclosure||Important||None|
This update requires prior installation of the Project Server 2013 cumulative update (2768001). For more information about the update, including download links, see Microsoft Knowledge Base Article 2768001.
|Office and Other Software|
|Microsoft SharePoint Server 2007 Service Pack 3 (32-bit editions)|
|Microsoft SharePoint Server 2007 Service Pack 3 (64-bit editions)|
|Microsoft SharePoint Server 2010 Service Pack 1|
|Microsoft Groove 2007 Service Pack 3|
|Microsoft Groove Server 2007 Service Pack 3|
|Microsoft Groove Server 2010 Service Pack 1|
|Microsoft Groove Server 2013|
|Microsoft SharePoint Portal Server 2003 Service Pack 3 (32-bit editions)|
|Microsoft SharePoint Portal Server 2003 Service Pack 3 (64-bit editions)|
|Microsoft Windows SharePoint Services 2.0 (32-bit editions)|
|Microsoft Windows SharePoint Services 2.0 (64-bit editions)|
|Microsoft Windows SharePoint Services 3.0 Service Pack 2 (32-bit version)|
|Microsoft Windows SharePoint Services 3.0 Service Pack 3 (32-bit version)|
|Microsoft Windows SharePoint Services 3.0 Service Pack 2 (64-bit version)|
|Microsoft Windows SharePoint Services 3.0 Service Pack 3 (64-bit version)|
|SharePoint Foundation 2010 Service Pack 1|
|SharePoint Foundation 2013|
|Microsoft SharePoint Workspace 2010 Service Pack 1 (32-bit editions)|
|Microsoft SharePoint Workspace 2010 Service Pack 1 (64-bit editions)|
|Microsoft SharePoint Workspace 2013 (32-bit editions)|
|Microsoft SharePoint Workspace 2013 (64-bit editions)|
I have the affected software installed on my system. Why am I not being offered the update?
The 2737969 update requires prior installation of the Project Server 2013 cumulative update (2768001). If the 2768001 update is not installed on affected systems, the 2737969 update will not be offered. For more information about the Project Server 2013 cumulative update, including download links, see Microsoft Knowledge Base Article 2768001.
I have downloaded the update from the Microsoft Download Center; why does the installation fail?
Download Center installations of the 2737969 update fails on systems that have not yet had the Project Server 2013 cumulative update (2768001) applied. Users should apply the 2768001 update before installing the 2737969 update. For more information about the Project Server 2013 cumulative update, including download links, see Microsoft Knowledge Base Article 2768001.
Why is the 2768001 update for Project Server a prerequisite for this update?
The 2768001 update for Project Server is a prerequisite for this update (2737969) due to a package configuration change that was introduced after Project Server 2013 was released. You must install Project Server update 2768001 before installing later SharePoint Server 2013 updates.
I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, see the Microsoft Support Lifecycle website.
It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Service Pack Lifecycle Support Policy.
Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, see the Microsoft Worldwide Information website, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.
Severity Ratings and Vulnerability Identifiers
The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the April bulletin summary. For more information, see Microsoft Exploitability Index.
|Affected Software||Incorrect Access Rights Information Disclosure Vulnerability - CVE-2013-1290||Aggregate Severity Rating|
|Microsoft SharePoint Server|
|Microsoft SharePoint Server 2013||
Incorrect Access Rights Information Disclosure Vulnerability - CVE-2013-1290
An information disclosure vulnerability exists in the way that SharePoint Server enforces access controls on specific SharePoint Lists.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2013-1290.
- An attacker must have valid Active Directory credentials before validation as a SharePoint user, and subsequent access to other users' files, could be possible.
- The "Everyone" group used in assigning sharing permissions in Windows does not include "Anonymous users".
- The attack vector for this vulnerability is established through new My Sites that have been created using the legacy user interface mode in SharePoint Server 2013 installations that were upgraded from SharePoint Server 2010. New My Sites created with clean installations of SharePoint Server 2013 are not subject to exploitation from this vulnerability.
- For SharePoint Server 2013, set the permissions for users' personal document libraries to explicitly deny access to "NT Authenticated\All users" and set the permissions on each personal library to "Stop Inheriting Permissions". For more information, see Edit permissions for a list, library, or individual item.
What is the scope of the vulnerability?
This is an information disclosure vulnerability. An attacker who successfully exploited the vulnerability could gain access to documents to which the attacker would not otherwise have access.
What causes the vulnerability?
The vulnerability is caused by the way that SharePoint, by default, applies access controls to a SharePoint list.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could gain access to list items in a SharePoint list that the list owner did not intend for the attacker to be able to access.
How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would need to know the address or location of a specific SharePoint list to access the list's items. In order to gain access to the SharePoint site where the list is maintained, the attacker would need to be able to satisfy the SharePoint site's authentication requests.
What systems are primarily at risk from the vulnerability?
Systems that are running an affected version of SharePoint Server are primarily at risk.
What does the update do?
The update addresses the vulnerability by correcting the default access controls applied to the SharePoint list.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2013-1290.
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.
Detection and Deployment Tools and Guidance
Several resources are available to help administrators deploy security updates.
- Microsoft Baseline Security Analyzer (MBSA) lets administrators scan local and remote systems for missing security updates and common security misconfigurations.
- Windows Server Update Services (WSUS), Systems Management Server (SMS), and System Center Configuration Manager (SCCM) help administrators distribute security updates.
- The Update Compatibility Evaluator components included with Application Compatibility Toolkit aid in streamlining the testing and validation of Windows updates against installed applications.
For more information about these tools and guidance in deploying security updates across networks, see Security Tools for IT Pros.
Security Update Deployment
For information about the specific security update for your affected software, click the appropriate link:
SharePoint Server 2013 (all editions)
The following table contains the security update information for this software.
|Security update file name||For Microsoft SharePoint Enterprise Server 2013:
|Installation switches||See Microsoft Knowledge Base Article 912203|
|Restart requirement||In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.
|Removal information||This security update cannot be removed.|
|File information||See Microsoft Knowledge Base Article 2737969|
|Registry key verification||Not applicable|
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please go to the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
How to obtain help and support for this security update
- Help installing updates: Support for Microsoft Update
- Security solutions for IT professionals: TechNet Security Troubleshooting and Support
- Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
- Local support according to your country: International Support
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (April 9, 2013): Bulletin published.
Built at 2014-04-18T13:49:36Z-07:00