CVE-2023-21716

Description

Microsoft Word Remote Code Execution Vulnerability

Add Assessment

cbeek-r7 (181)

March 06, 2023 8:12am UTC (1 year ago)•

Ratings

Attacker Value

Very High

Exploitability

Very High

Common in enterprise Easy to weaponize Gives privileged access Unauthenticated Vulnerable in default configuration

Technical Analysis

A vulnerability in Microsoft’s Word wwlib allows attackers to get LCE with the privileges of the victim opens a malicious
RTF document. An attacker would be able to deliver this payload in several ways including as an attachment in spear-phishing attacks.

Affected Versions

This vulnerability affects at least the following versions of Microsoft Office:

Microsoft Office 365 (Insider Preview – 2211 Build 15831.20122 CTR)
Microsoft Office 2016 (Including Insider Slow – 1704 Build 8067.2032 CTR)
Microsoft Office 2013
Microsoft Office 2010
Microsoft Office 2007

Acknowledgement

This issue was discovered, analyzed, and reported by Joshua J. Drake (@jduck).

PoC code from @jduck:

See More &4 repliesSee Less

ccondon-r7 (286) March 09, 2023 8:26pm UTC (1 year ago)

There’s user interaction required here, right?

cbeek-r7 (181) March 10, 2023 10:05am UTC (1 year ago)

Yes, in case the exploit code is hidden as an attachment, the user should open that attachment.

VoidSec (34) March 17, 2023 9:26pm UTC (1 year ago)•

Word 2021 MSO (Version 2302 Build 16.0.16130.20186) 64-bit
Word 2021 MSO (Version 2302 Build 16.0.16130.20298) 64-bit
arevulnerable too

cdelafuente-r7 (96) March 21, 2023 2:14pm UTC (1 year ago)•Edited 1 year ago

Note that, even if user interaction is required, it can be minimal. According to Microsoft, the Preview Pane is also an attack vector, which means the user doesn’t need to open the file. Loading the RTF document in the Preview Pane should also trigger the vulnerability.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

General Information

Offensive Application

Unknown

Utility Class

Unknown

Ports

Unknown

Vulnerable Versions

Microsoft Office LTSC for Mac 2021 16.70.23021201

Microsoft Office LTSC 2021 https://aka.ms/OfficeSecurityReleases

Microsoft SharePoint Server Subscription Edition 16.0.15601.20478

Microsoft 365 Apps for Enterprise https://aka.ms/OfficeSecurityReleases

SharePoint Server Subscription Edition Language Pack 16.0.15601.20478

Microsoft Office Online Server 16.0.10395.20001

Microsoft Office 2019 for Mac 16.70.23021201

Microsoft Office 2019 https://aka.ms/OfficeSecurityReleases

Microsoft SharePoint Enterprise Server 2016 16.0.5383.1000

Microsoft SharePoint Enterprise Server 2013 Service Pack 1 15.0.5529.1000

Microsoft SharePoint Server 2019 16.0.10395.20001

Microsoft Word 2016 16.0.5383.1000

Microsoft Office Web Apps Server 2013 Service Pack 1 15.0.5529.1000

Microsoft SharePoint Foundation 2013 Service Pack 1 15.0.5529.1000

Microsoft Word 2013 Service Pack 1 15.0.5529.1000

Prerequisites

Unknown

Discovered By

Unknown

PoC Author

Unknown

Metasploit Module

Unknown

Reporter

Unknown

Vendors

microsoft

Products

office 2019,
office long term servicing channel 2021,
office online server 2016,
office web apps 2013,
sharepoint enterprise server 2013,
sharepoint enterprise server 2016,
sharepoint foundation 2013,
sharepoint server -,
sharepoint server 2019,
word 2013

Exploited in the Wild

Reported by:

chihieutp

Reported: March 10, 2023 6:05am UTC (1 year ago)

VoidSec indicated source as Personally observed in an environment

Reported: March 17, 2023 9:18pm UTC (1 year ago)

References

Canonical

CVE-2023-21716 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21716)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

Details Vuln & PoC (https://qoop.org/publications/cve-2023-21716-rtf-fonttbl.md)

CVE-2023-21716 (https://github.com/gyaansastra/CVE-2023-21716) (Added by AKB Worker)

CVE-2023-21716 (https://github.com/Xnuvers007/CVE-2023-21716) (Added by AKB Worker)

Miscellaneous

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716

Rapid7

Very High

Very High

Very High

None

None

Network

CVE-2023-21716

Description

Add Assessment

Ratings

Technical Analysis

Affected Versions

Acknowledgement

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Exploited in the Wild

References

Canonical

Exploit

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification