Overview of CVE-2023-21716
Indonesia – SECRY – CVE-2023-21716 – is a severe heap corruption vulnerability discovered in Microsoft Word’s RTF parser. This vulnerability, when exploited, allows remote attackers to execute code with the same privileges as the victim who opens a malicious RTF document.
Attackers can easily send the malicious file to the target via email or other methods. Despite the availability of a proof of concept (PoC), Microsoft believes it is unlikely that the vulnerability has been exploited in the wild.
Severity and Affected Products
CVE-2023-21716 has a CVSS score of 9.8, indicating high severity.
This vulnerability affects a wide range of Microsoft products, including Microsoft Office, SharePoint, and various 365 apps versions.
The high severity score is due to the low attack complexity and lack of privileges or user interaction required for exploitation.
Discovery and Proof-of-Concept of CVE-2023-21716
Security researcher Joshua Drake discovered the vulnerability in Microsoft Office’s “wwlib.dll” and sent Microsoft a technical advisory with a PoC demonstrating the exploitability of the issue.
The PoC reveals the heap corruption problem but does not show full code execution capabilities. Drake managed to create a tweet-sized version of the PoC, which gained attention from the security community.
Vulnerability Mechanics and Attack Vectors
The vulnerability resides in Microsoft Word’s RTF parser and occurs due to a font table (*\fonttbl*) containing an excessive number of fonts (*\f###*), resulting in heap corruption.
This security flaw in Microsoft Word can be exploited by remote attackers, who can then execute code with the same privileges as the victim opening or previewing a malicious .RTF document.
Microsoft Word #RCE (CVE-2023-21716) #POC written by python.(#0day , CVSS Score of 9.8)
“` python
open(“t3zt.rtf”,”wb”).write((“{\\rtf1{\n{\\fonttbl” + “”.join([ (“{\\f%dA;}\n” % i) for i in range(0,32761) ]) + “}\n{\\rtlch no crash??}\n}}\n”).encode(‘utf-8’))
“`— 61ue5creen (@hd3s5) March 14, 2023
Cybercriminals can easily deliver these harmful files to their targets through email attachments or alternative methods.
Microsoft emphasizes that users don’t even have to open the malicious RTF document, as merely loading the file in the Preview Pane is sufficient for the compromise to initiate.
Potential Impact and Mitigation
Remote code execution vulnerabilities like CVE-2023-21716 are highly sought after by attackers, as they enable the wide-scale distribution of malware via email.
Although there is no indication that the vulnerability is currently being exploited in the wild, it is crucial for users to take appropriate action to protect themselves.
Microsoft Addressed Vulnerability and Launch Security Updates
Microsoft has addressed the vulnerability in its February, Patch Tuesday security updates. Users should install these security updates to mitigate the risk.
Alternatively, users can read emails in plain text format or enable the Microsoft Office File Block policy to prevent Office apps from opening RTF documents of unknown or untrusted origin.
However, these workarounds may cause inconvenience or require modifications to the Windows Registry, which could lead to other issues if done incorrectly.
In conclusion, to ensure the highest level of protection against CVE-2023-21716, it is recommended to install Microsoft’s security updates as soon as possible.