As a part of Patch Tuesday, Microsoft released patches for a critical remote code execution vulnerability found in Office Word's RTF parser. CVE-2023-21716 vulnerability has a CVSS score of 9.8 (Critical) and affects a wide variety of Microsoft Office, SharePoint, and 365 Apps versions. Users are advised to update to the latest versions as soon as possible.
Picus Labs added simulations for CVE-2023-21716 vulnerability exploitation attacks to Picus Threat Library. In this blog, we explained the Microsoft Word CVE-2023-21716 remote code execution vulnerability in detail.
Learn How to Prevent Emerging Threats with '2x Prevention with BAS' Whitepaper
CVE-2023-21716 vulnerability was privately disclosed to Microsoft in November 2022, and Microsoft addressed the vulnerability in their Patch Tuesday updates on February 14, 2023. The vulnerability is a heap corruption vulnerability found in MS Office Word's RTF parser. When exploited, the vulnerability allows adversaries to execute arbitrary commands with the victim's privileges via malicious RTF files. Even loading the malicious RTF document in the Preview Pane is enough for exploitation, and the victims do not have to open the payload. Due to the low complexity and high impact of potential exploitation, the CVE-2023-21716 vulnerability has a CVSS score of 9.8 (Critical).
The following Microsoft products are affected by the CVE-2023-21716 vulnerability, and users are advised to patch their vulnerable products as soon as possible.
Affected products |
|
Microsoft 365 Apps |
for Enterprise
|
Microsoft Office |
Office 2019
Office LTSC 2021
Office Online Server Office Web Apps Server 2013 Service Pack 1 |
Microsoft Word |
Word 2013
Word 2016
|
Microsoft SharePoint |
Enterprise Server 2013 Service Pack 1 Enterprise Server 2016 Foundation 2013 Service Pack 1 Server 2019 Server Subscription Edition Server Subscription Edition Language Pack |
If patching the vulnerable products is not an option, users may apply the following workarounds to limit potential CVE-2023-21716 exploits.
Configure Microsoft Outlook to read all standard mail in plaintext
Use Microsoft Office File Block policy to prevent MS Office from opening RTF documents from untrusted sources.
Change the RtfFiles DWORD value to 2 and OpenInProtectedView DWORD value to 0 for the following registries
Office 2013: HKCU\Software\Microsoft\Office\15.0\Word\Security\FileBlock
Office 2016, 2019, 2021: HKCU\Software\Microsoft\Office\16.0\Word\Security\FileBlock
CVE-2023-21716 vulnerability is a heap corruption vulnerability found in Microsoft Word's RTF Parser. When dealing with font tables, the RTF parser loads the font ID value (\f####) and fills the upper bits of EDX with the font ID value. If a font table (\fonttbl) contains too large of a font ID value, the RTF parser corrupts the heap and causes a negative offset in the memory held in ESI. This heap corruption can then be exploited for arbitrary command execution with the victim's privileges.
open("malicious.rtf","wb").write(("{\\rtf1{\n{\\fonttbl" + "".join([ ("{\\f%dA;}\n" % i) for i in range(0,32761) ]) + "}\n{\\rtlch No Crash}\n}}\n").encode('utf-8')) |
Example 1: Proof of Concept for CVE-2023-21716 Exploit
To exploit this vulnerability, adversaries create a malicious RTF file and deliver the payload via email or other means. When an unsuspecting user either opens or previews the malicious RTF file, adversaries execute arbitrary commands in the system and may potentially gain remote access to their target.
We also strongly suggest simulating Microsoft Word CVE-2023-21716 attacks to test the effectiveness of your security controls against vulnerability exploitation attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other vulnerabilities, such as Log4Shell, Follina, ProxyShell, and ProxyNotShell, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Microsoft Word CVE-2023-21716 Attacks:
Threat ID |
Threat Name |
Attack Module |
36484 |
Microsoft Office Word RTF Font Table Heap Corruption Vulnerability Threat |
Network Infiltration |
39959 |
Microsoft Office Word RTF Font Table Heap Corruption Vulnerability Threat |
Email Infiltration (Phishing) |
Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Microsoft Word CVE-2023-21716 vulnerability exploitation attacks and other vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Microsoft Word CVE-2023-21716 vulnerability:
Security Control |
Signature ID |
Signature Name |
Check Point NGFW |
0EE5C289A |
Malicious Binary.TC.3015fGer |
McAfee |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus Security Validation Platform.