CVE-2023-21716: Microsoft Word Remote Code Execution Vulnerability

CVE-2023-21716: Microsoft Word Remote Code Execution Vulnerability

DOWNLOAD PDF

SUMMARY
Microsoft recently released patches for a critical remote code execution (RCE) vulnerability in MS Office Word’s RTF parser. Though there are no indications of this vulnerability being exploited in the wild, due to its criticality and impact it should be addressed as soon as possible.

The CVE-2023-21716 vulnerability affects a wide variety of MS Office, SharePoint, and O365 application versions. All applications should be updated to the latest versions as soon as possible.

A proof-of-concept for CVE-2023-21716 allows attackers to exploit a critical vulnerability in Microsoft Word with just three lines of code and results in gaining remote code execution privileges.

RISK SCORING
CVE-2023-21716 9.8

AFFECTED PRODUCTS
1.  Microsoft O365 Apps for Enterprise
2.  Microsoft Office

*Office 2019 for Mac
*Office LTSC 2021 for Mac 2021
*Office Online Server
*Office Web Apps Server 2013 Service Pack 1

3.  Microsoft Word

*Word 2013 for RT SP1, SP1
*Word 2016 for

4.  Microsoft SharePoint

*Enterprise Server 2013 Service Pack 1
*Enterprise Server 2016
*Foundation 2013 Service Pack 1
*Server 2019
*Server Subscription Edition
*Server Subscription Edition Language Pack

TECHNICAL DETAILS
The CVE-2023-21716 vulnerability in MS Office’s “wwlib.dll” was privately disclosed to Microsoft in November 2022 by Joshua Drake (Security researcher). Microsoft released a patch to address the vulnerability on February 14, 2023.

The vulnerability is a heap corruption vulnerability found in MS Office Word’s RTF parser. When exploited, the vulnerability allows threat actors to execute arbitrary commands with the victim’s privileges via malicious RTF files. Microsoft warns that users are not required to open a malicious RTF document, and that simply previewing the file in the Preview Pane will facilitate the compromise. Due to the low complexity and high impact of potential exploitation, the CVE-2023-21716 vulnerability has a CVSS score of 9.8 (Critical).

The disclosing researcher explains that the RTF parser in Microsoft Word has a heap corruption vulnerability that is triggered “when dealing with a font table (*fonttbl*) containing an excessive number of fonts (*f###*).” Drake says that there is additional processing after the memory corruption occurs and a threat actor could leverage the bug for arbitrary code execution by using a properly crafted heap layout.
protect its communications with the C2 server.

RECOMMENDATIONS
Install the security update from Microsoft.

 

REFERENCES
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716
https://learn.microsoft.com/en-us/office/troubleshoot/settings/file-blocked-in-office
https://support.microsoft.com/en-us/office/change-the-message-format-to-html-rich-text-format-or-plain-text-338a389d-11da-47fe-b693-cf41f792fefa?ui=en-us&rs=en-us&ad=us
https://www.bleepingcomputer.com/news/security/proof-of-concept-released-for-critical-microsoft-word-rce-bug/
https://www.picussecurity.com/resource/blog/cve-2023-21716-microsoft-word-remote-code-execution-exploit-explained
https://thestack.technology/critical-microsoft-word-vulnerability-cve-2023-21716-poc/

CONTACT US