In this article, we discuss how to detect and protect against the vulnerability to ensure your systems remain secure.
Understanding the Vulnerability
Microsoft Word is capable of handling Rich-Text Format (RTF) documents which are made up of 7-bit ASCII-based keywords that can contain a vast range of rich content. Recently, a vulnerability was found in MS Office Word's RTF parser that leads to heap corruption. This issue has been assigned CVE-2021-21974 and was discovered, analyzed, and reported by Joshua J. Drake (@jduck). He has shared a proof of concept on Twitter which can be seen in the following figure.
The RTF parser in Microsoft Word has a vulnerability related to heap corruption when it encounters a font table (\fonttbl) that has an excessive number of fonts (\f###). During the processing of font tables, the RTF parser loads the font ID value (\f####) and fills the upper bits of EDX with this value. If the font ID value within a font table is too large, the RTF parser can corrupt the heap, leading to a negative offset in the memory stored in ESI. This heap corruption vulnerability can be exploited to execute arbitrary commands with the privileges of the victim.
This vulnerability has garnered significant attention, primarily due to the following reasons:
- The attack is of low complexity and can be as simple as attaching an RTF document to an email.
- The attacker does not need privileged user access.
- The victim does not need to interact with the document for the attack to occur.
- No prior authentication is required.
- The supposedly secure "preview pane" feature in Microsoft can also be used as a threat vector.
It is worth noting that the victim may not even need to open the RTF document, and merely loading the file in the preview pane is enough to trigger the compromise.
Dealing with this vulnerability involves the following steps:
- The safest approach is to install the security update from Microsoft
- For those who cannot apply the fixes, one solution is to read emails in plain text format
- Another option is to enable the Microsoft Office File Block Policy, which involves editing the registry
Are Your Systems at Risk? Detecting the Microsoft Word RTF Font Table Heap Corruption CVE-2023-21716
Microsoft issued the critical vulnerability CVE-2023-21716, which affects the following:
- Office 2021 Retail: Version less than 2301 (Build 16026.20200)
- Office 2019 Retail: Version less than 2301 (Build 16026.20200)
- Office 2016 Retail: Version less than 2301 (Build 16026.20200)
- Office LTSC 2021 Volume Licensed: Version less than 2108 (Build 14332.20461)
- Office 2019 Volume Licensed: Version less than 1808 (Build 10395.20020)
And the following SharePoint versions:
- SharePoint Enterprise Server 2013: Version less than 15.0.5529.1000
- SharePoint Enterprise Server 2016: Version less than 16.0.5383.1000
- SharePoint Enterprise Server 2019: Version less than 16.0.10395.20001.
Efficiently Conduct Asset Inventory in Multi-Cloud and Hybrid Cloud Environments: A Mondoo Solution
With Mondoo's GraphQL-based query language, MQL, you can efficiently collect information about the installed packages on your assets, whether they are container images, VMs, bare-metal servers, or anything else.
Find and fix the security risks that pose the biggest threat to your business.
If you have not yet installed cnquery, follow our instructions. Once you've installed it, you can gather information about installed packages from a Windows system via ssh:
cnquery shell ssh vagrant@192.168.56.221 --ask-pass
packages.where( name == /Office/ && name == /2016|2019|2021/ )
You also can run the cnquery shell in PowerShell on the Windows system:
.\cnquery.exe shell
packages.where( name == /SharePoint/ )
We have incorporated a dedicated Windows Incident Response Pack to facilitate rapid data collection. You can download the complete repository from cnquery-packs. This pack enables you to validate container images, running containers, virtual machines, and the local machine.
To inspect the Windows system via ssh, run the following:
cnquery scan ssh vagrant@192.168.56.221 --ask-pass -f cnquery-packs/core/mondoo-windows-incident-response.mql.yaml -o full
You can apply the same approach locally:
.\cnquery.exe scan --querypack mondoo-windows-incident-response -o full
Preventing Future Vulnerabilities: Ensuring No New Installations are Affected by CVE-2023-21716
After patching all identified systems, it is crucial to prevent any new systems from using the affected versions of Microsoft Word RTF Font Table Heap Corruption. To address this, we have introduced a new Microsoft Vulnerability Policy in cnspec. This policy verifies that all packages are not impacted by the vulnerability.
If you have not yet installed cnspec, follow our instructions. cnspec enforces the correct settings through controls that use MQL queries. This query allows you to verify that the affected version is not used:
packages.where( name == /SharePoint/ && name == /2016/ ).all(version.split('.')[0] == 15 && version.split('.')[2] >= 5529)
packages.where( name == /SharePoint/ && name == /2016/ ).all(version.split('.')[0] == 16 && version.split('.')[2] >= 5383)
packages.where( name == /SharePoint/ && name == /2019/ ).all(version.split('.')[0] == 16 && version.split('.')[2] >= 10395)
packages.where( name == /Office/ && name == /2016|2019|2021/ ).all(version.split('.')[0] == 16 && version.split('.')[2] >= 16026)
Download the cnspec-policy repo and run the cnspec policy via ssh:
cnspec scan ssh vagrant@192.168.56.221 --ask-pass -f cnspec-policies/core/mondoo-microsoft-vulnerability.mql.yaml
.\cnspec.exe scan -f .\cnspec-policies-main\core\mondoo-microsoft-vulnerability.mql.yaml
Take proactive measures and secure your systems with the power of Mondoo. Sign up for a free account today to easily validate your systems and continuously assess vulnerabilities with the latest security updates. Or book a demo with us to see how Mondoo can revolutionize your cybersecurity strategy. Don't wait until it's too late, protect your systems now with Mondoo.