{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3amicrosoftoffice_long_term_servicing_channel2021macos/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:microsoft:office:2019:*:*:*:*:macos:*:*","cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*","cpe:2.3:a:microsoft:office_online_server:2016:*:*:*:*:*:*:*","cpe:2.3:a:microsoft:office_web_apps:2013:sp1:*:*:*:*:*:*","cpe:2.3:a:microsoft:sharepoint_enterprise_server:2013:sp1:*:*:*:*:*:*","cpe:2.3:a:microsoft:sharepoint_enterprise_server:2016:*:*:*:*:*:*:*","cpe:2.3:a:microsoft:sharepoint_foundation:2013:sp1:*:*:*:*:*:*","cpe:2.3:a:microsoft:sharepoint_server:-:*:*:*:subscription:*:*:*","cpe:2.3:a:microsoft:sharepoint_server:-:language_pack:*:*:subscription:*:*:*","cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*","cpe:2.3:a:microsoft:word:2013:sp1:*:*:*:*:*:*","cpe:2.3:a:microsoft:word:2013:sp1:*:*:rt:*:*:*"],"_cs_cves":[{"cvss":9.8,"id":"CVE-2023-21716"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Word 2016"],"_cs_severities":["critical"],"_cs_tags":["cve-2023-21716","rtf","heap overflow","remote code execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2023-21716 is a heap-based buffer overflow vulnerability found in Microsoft Word 2016\u0026rsquo;s RTF parser (specifically, in \u003ccode\u003ewwlib.dll\u003c/code\u003e). The vulnerability stems from improper bounds checking when parsing the \u003ccode\u003e\\fonttbl\u003c/code\u003e tag within an RTF file, particularly when the tag contains an excessive number of font IDs (e.g., \u003ccode\u003e\\f###\u003c/code\u003e). A specially crafted RTF file can trigger the overflow, leading to remote code execution (RCE) with the privileges of the victim user. The vulnerability affects Microsoft Word 2016 on Windows 7 and has a CVSS score of 9.8 (Critical). The attack vector involves delivering the malicious RTF file via email or a shared file location. This vulnerability poses a significant threat because it allows attackers to execute arbitrary code on a vulnerable system simply by enticing a user to open a malicious document.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious RTF file containing an overly large \u003ccode\u003e\\fonttbl\u003c/code\u003e section with many font IDs (\u003ccode\u003e\\f###\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious RTF file to the victim via email attachment or shared network drive.\u003c/li\u003e\n\u003cli\u003eThe victim opens the RTF file using Microsoft Word 2016 on Windows 7.\u003c/li\u003e\n\u003cli\u003eMicrosoft Word attempts to parse the \u003ccode\u003e\\fonttbl\u003c/code\u003e section of the RTF file using the \u003ccode\u003ewwlib.dll\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eDue to the excessive number of font IDs, the bounds check fails, resulting in a heap-based buffer overflow in \u003ccode\u003ewwlib.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe overflow overwrites critical data on the heap, leading to memory corruption.\u003c/li\u003e\n\u003cli\u003eThe application crashes with an exception code \u003ccode\u003ec0000374\u003c/code\u003e (heap corruption).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the heap overflow to execute arbitrary code within the context of the Microsoft Word process, achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2023-21716 allows an attacker to execute arbitrary code on a vulnerable Windows 7 system running Microsoft Word 2016. This can lead to a complete compromise of the system, including data theft, malware installation, and further lateral movement within the network. The vulnerability has a CVSS score of 9.8 (Critical), reflecting its high severity and potential for widespread impact. While specific victim counts are unavailable, the broad use of Microsoft Word makes this vulnerability a significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAlthough Windows 7 is EOL, consider the following actions if you must continue to support it.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for Microsoft Word (\u003ccode\u003eWINWORD.EXE\u003c/code\u003e) spawning unusual child processes, indicative of successful code execution, and deploy the \u0026ldquo;Microsoft Word Spawning Suspicious Child Process\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable process auditing on systems running Microsoft Word and review logs for crashes related to \u003ccode\u003ewwlib.dll\u003c/code\u003e or exception code \u003ccode\u003ec0000374\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eConsider blocking RTF files delivered via email at the email gateway. This can prevent the initial attack vector.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-microsoft-word-rce/","summary":"CVE-2023-21716 is a critical heap-based buffer overflow vulnerability in Microsoft Word 2016's RTF parser, triggered by a malformed RTF file, leading to remote code execution on Windows 7.","title":"Microsoft Word RTF Heap Overflow Vulnerability (CVE-2023-21716)","url":"https://feed.craftedsignal.io/briefs/2024-01-microsoft-word-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*","version":"https://jsonfeed.org/version/1.1"}