Attack Chain

1. Attacker crafts a malicious RTF file containing an overly large \fonttbl section with many font IDs (\f###).
2. The attacker sends the malicious RTF file to the victim via email attachment or shared network drive.
3. The victim opens the RTF file using Microsoft Word 2016 on Windows 7.
4. Microsoft Word attempts to parse the \fonttbl section of the RTF file using the wwlib.dll library.
5. Due to the excessive number of font IDs, the bounds check fails, resulting in a heap-based buffer overflow in wwlib.dll.
6. The overflow overwrites critical data on the heap, leading to memory corruption.
7. The application crashes with an exception code c0000374 (heap corruption).
8. The attacker leverages the heap overflow to execute arbitrary code within the context of the Microsoft Word process, achieving remote code execution.

Impact

Successful exploitation of CVE-2023-21716 allows an attacker to execute arbitrary code on a vulnerable Windows 7 system running Microsoft Word 2016. This can lead to a complete compromise of the system, including data theft, malware installation, and further lateral movement within the network. The vulnerability has a CVSS score of 9.8 (Critical), reflecting its high severity and potential for widespread impact. While specific victim counts are unavailable, the broad use of Microsoft Word makes this vulnerability a significant risk.

Recommendation

• Although Windows 7 is EOL, consider the following actions if you must continue to support it.
• Monitor process creation events for Microsoft Word (WINWORD.EXE) spawning unusual child processes, indicative of successful code execution, and deploy the “Microsoft Word Spawning Suspicious Child Process” Sigma rule.
• Enable process auditing on systems running Microsoft Word and review logs for crashes related to wwlib.dll or exception code c0000374.
• Consider blocking RTF files delivered via email at the email gateway. This can prevent the initial attack vector.