Microsoft Word is an essential tool used by individuals and businesses globally. However, it has recently been discovered that Microsoft Word is susceptible to a critical vulnerability known as RTF Font Table Heap Corruption, which can allow attackers to execute arbitrary commands with the victim's privileges via malicious RTF files.
In this article, we discuss how to detect and protect against the vulnerability to ensure your systems remain secure.
Microsoft Word is capable of handling Rich-Text Format (RTF) documents which are made up of 7-bit ASCII-based keywords that can contain a vast range of rich content. Recently, a vulnerability was found in MS Office Word's RTF parser that leads to heap corruption. This issue has been assigned CVE-2021-21974 and was discovered, analyzed, and reported by Joshua J. Drake (@jduck). He has shared a proof of concept on Twitter which can be seen in the following figure.
The RTF parser in Microsoft Word has a vulnerability related to heap corruption when it encounters a font table (\fonttbl) that has an excessive number of fonts (\f###). During the processing of font tables, the RTF parser loads the font ID value (\f####) and fills the upper bits of EDX with this value. If the font ID value within a font table is too large, the RTF parser can corrupt the heap, leading to a negative offset in the memory stored in ESI. This heap corruption vulnerability can be exploited to execute arbitrary commands with the privileges of the victim.
This vulnerability has garnered significant attention, primarily due to the following reasons:
It is worth noting that the victim may not even need to open the RTF document, and merely loading the file in the preview pane is enough to trigger the compromise.
Dealing with this vulnerability involves the following steps:
Microsoft issued the critical vulnerability CVE-2023-21716, which affects the following:
And the following SharePoint versions:
With Mondoo's GraphQL-based query language, MQL, you can efficiently collect information about the installed packages on your assets, whether they are container images, VMs, bare-metal servers, or anything else.
If you have not yet installed cnquery, follow our instructions. Once you've installed it, you can gather information about installed packages from a Windows system via ssh:
cnquery shell ssh vagrant@192.168.56.221 --ask-pass
packages.where( name == /Office/ && name == /2016|2019|2021/ )
You also can run the cnquery shell in PowerShell on the Windows system:
.\cnquery.exe shell
packages.where( name == /SharePoint/ )
We have incorporated a dedicated Windows Incident Response Pack to facilitate rapid data collection. You can download the complete repository from cnquery-packs. This pack enables you to validate container images, running containers, virtual machines, and the local machine.
To inspect the Windows system via ssh, run the following:
cnquery scan ssh vagrant@192.168.56.221 --ask-pass -f cnquery-packs/core/mondoo-windows-incident-response.mql.yaml -o full
You can apply the same approach locally:
.\cnquery.exe scan --querypack mondoo-windows-incident-response -o full
After patching all identified systems, it is crucial to prevent any new systems from using the affected versions of Microsoft Word RTF Font Table Heap Corruption. To address this, we have introduced a new Microsoft Vulnerability Policy in cnspec. This policy verifies that all packages are not impacted by the vulnerability.
If you have not yet installed cnspec, follow our instructions. Cnspec enforces the correct settings through controls that use MQL queries. This query allows you to verify that the affected version is not used:
packages.where( name == /SharePoint/ && name == /2016/ ).all(version.split('.')[0] == 15 && version.split('.')[2] >= 5529)
packages.where( name == /SharePoint/ && name == /2016/ ).all(version.split('.')[0] == 16 && version.split('.')[2] >= 5383)
packages.where( name == /SharePoint/ && name == /2019/ ).all(version.split('.')[0] == 16 && version.split('.')[2] >= 10395
packages.where( name == /Office/ && name == /2016|2019|2021/ ).all(version.split('.')[0] == 16 && version.split('.')[2] >= 16026)
Download the cnspec-policy repo and run the cnspec policy via ssh:
cnspec scan ssh vagrant@192.168.56.221 --ask-pass -f cnspec-policies/core/mondoo-microsoft-vulnerability.mql.yaml
.\cnspec.exe scan -f .\cnspec-policies-main\core\mondoo-microsoft-vulnerability.mql.yaml
Take proactive measures and secure your systems with the power of Mondoo. Sign up for a free account today to easily validate your systems and continuously assess vulnerabilities with the latest security updates. Or book a demo with us to see how Mondoo can revolutionize your cybersecurity strategy. Don't wait until it's too late, protect your systems now with Mondoo.