Vulnerabilities

Fix Critical Word RTF Font Table Heap Bug CVE-2023-21716: Open Source Solution

Microsoft Word is an essential tool used by individuals and businesses globally. However, it has recently been discovered that Microsoft Word is susceptible to a critical vulnerability known as RTF Font Table Heap Corruption, which can allow attackers to execute arbitrary commands with the victim's privileges via malicious RTF files.

In this article, we discuss how to detect and protect against the vulnerability to ensure your systems remain secure.

Understanding the Vulnerability

Microsoft Word is capable of handling Rich-Text Format (RTF) documents which are made up of 7-bit ASCII-based keywords that can contain a vast range of rich content. Recently, a vulnerability was found in MS Office Word's RTF parser that leads to heap corruption. This issue has been assigned CVE-2021-21974 and was discovered, analyzed, and reported by Joshua J. Drake (@jduck). He has shared a proof of concept on Twitter which can be seen in the following figure.

joshuajdrak

The RTF parser in Microsoft Word has a vulnerability related to heap corruption when it encounters a font table (\fonttbl) that has an excessive number of fonts (\f###). During the processing of font tables, the RTF parser loads the font ID value (\f####) and fills the upper bits of EDX with this value. If the font ID value within a font table is too large, the RTF parser can corrupt the heap, leading to a negative offset in the memory stored in ESI. This heap corruption vulnerability can be exploited to execute arbitrary commands with the privileges of the victim.

This vulnerability has garnered significant attention, primarily due to the following reasons:

  • The attack is of low complexity and can be as simple as attaching an RTF document to an email.
  • The attacker does not need privileged user access.
  • The victim does not need to interact with the document for the attack to occur.
  • No prior authentication is required.
  • The supposedly secure "preview pane" feature in Microsoft can also be used as a threat vector.

It is worth noting that the victim may not even need to open the RTF document, and merely loading the file in the preview pane is enough to trigger the compromise.

Dealing with this vulnerability involves the following steps:

  • The safest approach is to install the security update from Microsoft
  • For those who cannot apply the fixes, one solution is to read emails in plain text format
  • Another option is to enable the Microsoft Office File Block Policy, which involves editing the registry

Are Your Systems at Risk? Detecting the Microsoft Word RTF Font Table Heap Corruption CVE-2023-21716

Microsoft issued the critical vulnerability CVE-2023-21716, which affects the following:

  • Office 2021 Retail: Version less than 2301 (Build 16026.20200)
  • Office 2019 Retail: Version less than 2301 (Build 16026.20200)
  • Office 2016 Retail: Version less than 2301 (Build 16026.20200)
  • Office LTSC 2021 Volume Licensed: Version less than 2108 (Build 14332.20461)
  • Office 2019 Volume Licensed: Version less than 1808 (Build 10395.20020)

And the following SharePoint versions:

  • SharePoint Enterprise Server 2013: Version less than 15.0.5529.1000
  • SharePoint Enterprise Server 2016: Version less than 16.0.5383.1000
  • SharePoint Enterprise Server 2019: Version less than 16.0.10395.20001.

Efficiently Conduct Asset Inventory in Multi-Cloud and Hybrid Cloud Environments: A Mondoo Solution

With Mondoo's GraphQL-based query language, MQL, you can efficiently collect information about the installed packages on your assets, whether they are container images, VMs, bare-metal servers, or anything else.

Find and fix the security risks that pose the biggest threat to your business.

If you have not yet installed cnquery, follow our instructions. Once you've installed it, you can gather information about installed packages from a Windows system via ssh:

cnquery shell ssh vagrant@192.168.56.221 --ask-pass

packages.where( name == /Office/ && name == /2016|2019|2021/ )

Use cnquery to gather information about installed packages from a Windows system via ssh

You also can run the cnquery shell in PowerShell on the Windows system:

.\cnquery.exe shell

packages.where( name == /SharePoint/ )

cnquery shell in PowerShell on the Windows system

We have incorporated a dedicated Windows Incident Response Pack to facilitate rapid data collection. You can download the complete repository from cnquery-packs. This pack enables you to validate container images, running containers, virtual machines, and the local machine.

To inspect the Windows system via ssh, run the following:

cnquery scan ssh vagrant@192.168.56.221 --ask-pass -f cnquery-packs/core/mondoo-windows-incident-response.mql.yaml -o full
Use cnquery to inspect the Windows system via ssh

You can apply the same approach locally:

.\cnquery.exe scan --querypack mondoo-windows-incident-response -o full
Use cnquery to inspect the Windows system local approach

Preventing Future Vulnerabilities: Ensuring No New Installations are Affected by CVE-2023-21716

After patching all identified systems, it is crucial to prevent any new systems from using the affected versions of Microsoft Word RTF Font Table Heap Corruption. To address this, we have introduced a new Microsoft Vulnerability Policy in cnspec. This policy verifies that all packages are not impacted by the vulnerability.

If you have not yet installed cnspec, follow our instructions. cnspec enforces the correct settings through controls that use MQL queries. This query allows you to verify that the affected version is not used:

packages.where( name == /SharePoint/ && name == /2016/ ).all(version.split('.')[0] == 15 && version.split('.')[2] >= 5529)
packages.where( name == /SharePoint/ && name == /2016/ ).all(version.split('.')[0] == 16 && version.split('.')[2] >= 5383)
packages.where( name == /SharePoint/ && name == /2019/ ).all(version.split('.')[0] == 16 && version.split('.')[2] >= 10395)

packages.where( name == /Office/ && name == /2016|2019|2021/ ).all(version.split('.')[0] == 16 && version.split('.')[2] >= 16026)

Download the cnspec-policy repo and run the cnspec policy via ssh:

cnspec scan ssh vagrant@192.168.56.221 --ask-pass -f cnspec-policies/core/mondoo-microsoft-vulnerability.mql.yaml

run cnspec policy via ssh
.\cnspec.exe scan -f .\cnspec-policies-main\core\mondoo-microsoft-vulnerability.mql.yaml

cnspec scan for vulnerabilities

Take proactive measures and secure your systems with the power of Mondoo. Sign up for a free account today to easily validate your systems and continuously assess vulnerabilities with the latest security updates. Or book a demo with us to see how Mondoo can revolutionize your cybersecurity strategy. Don't wait until it's too late, protect your systems now with Mondoo.

Patrick Münch

Chief Information Security Officer (CISO) at Mondoo, Patrick is highly skilled at protecting and hacking every system he gets his hands on. He built a successful penetration testing and incident response team at SVA GmbH, their goal to increase the security level of companies and limit the impact of ransomware attacks. Now, as part of the Mondoo team, Patrick can help protect far more organizations from cybersecurity threats.

You might also like

Releases
Mondoo November 2024 Release Highlights
Overview of Changes and New Security Features in Windows Server 2025
Releases
Mondoo October 2024 Release Highlights