top of page

CVE-2021-40444: A Closer Look at the Office Document Exploit


CVE-2021-40444


CVE-2021-40444 is a critical remote code execution (RCE) vulnerability affecting Microsoft Windows via the MSHTML (Trident) engine, which is used by Internet Explorer and Microsoft Office documents. Identified in the wild in August 2021, this vulnerability has been actively exploited by attackers, posing a significant threat to various industries worldwide. Exploitation involves specially crafted Microsoft Office documents containing malicious ActiveX controls that, when opened, execute arbitrary code. This report provides a comprehensive analysis of the vulnerability, its exploitation, affected product versions, and recommended mitigation strategies.


Targeted Sectors and Countries

CVE-2021-40444 has been used to target multiple sectors, including:

  • Financial Services

  • Healthcare

  • Government

  • Information Technology

  • Energy

Countries affected include the United States, Canada, the United Kingdom, Australia, and several European nations. The widespread nature of this exploitation underscores the need for urgent mitigation measures.


CVE-2021-40444 - Technical Information

CVE-2021-40444 exploits the MSHTML engine used by Internet Explorer and Microsoft Office documents. The vulnerability is triggered through maliciously crafted Office documents containing embedded ActiveX controls.


Initial Discovery

In August 2021, a malicious Word document exploiting CVE-2021-40444 was uploaded to VirusTotal by a user from Argentina and was initially detected by only one antivirus engine. Researchers from Mandiant and EXPMON reported the vulnerability to Microsoft, prompting a security advisory.


Exploit Mechanism

  1. Malicious Document: Attackers craft a Word document embedding a malicious URL within an OLE object. This URL points to an HTML page with obfuscated JavaScript hosted on a remote server.

  2. MSHTML Engine: Upon opening the document, the MSHTML engine processes the embedded content, triggering the execution of the remote JavaScript.

  3. JavaScript Execution: The JavaScript creates and destroys an iframe, retaining a reference to its ActiveX scripting surface.

  4. CAB File Extraction: The script initiates an XMLHttpRequest to download a CAB file containing a malicious INF file, extracted to the user's %TEMP% directory.

  5. ActiveX Control: An arbitrary ActiveX control is created, pointing to the downloaded CAB file. During the CAB file's signature verification, the INF file is extracted.

  6. Payload Execution: The INF file is executed using a relative path escape via the ".cpl" file extension, initiating the payload.


Detailed Exploitation Process
  • URL Protocol "mhtml": The URL in the Word document uses the "mhtml" protocol, invoking the MSHTML engine to process the remote HTML page.

  • ActiveX Control Creation: The JavaScript creates an ActiveX control object pointing to the CAB file, which is extracted to a predictable location due to a bug in the CAB file extraction process.

  • Payload Execution: The ".cpl" URL protocol is exploited to execute the INF file, leading to the attacker's payload execution.


Exploitation in the Wild

CVE-2021-40444 has been actively exploited, delivering various types of malware, including Cobalt Strike beacons. The use of sophisticated exploitation techniques suggests potential state-sponsored involvement, though specific APT groups have not been publicly identified. The vulnerability has impacted sectors across multiple countries, highlighting its broad impact.



 

Ready to address your exposures and vulnerabilities? Book a demo with our experts!

 


APT Groups Using This Vulnerability

No specific APT groups exploiting CVE-2021-40444 have been publicly identified. However, the sophisticated techniques used indicate potential state-sponsored actor involvement.


Affected Product Versions

The following Microsoft Windows versions are affected by CVE-2021-40444:

  • Windows 10 versions: 1507 (build 10.0), 1607, 1809, 1909, 2004, 20H2, 21H1

  • Windows 11

  • Windows Server versions: 2016, 2019, 2022

  • Windows 7 SP1

  • Windows 8.1


Workaround and Mitigation

Organizations should implement the following strategies to mitigate the risk of CVE-2021-40444:

  1. Patch Deployment: Ensure systems are updated with the latest security patches released by Microsoft as of September 14, 2021.

  2. Disable ActiveX: Disable ActiveX controls in Microsoft Office via Group Policy settings.

  3. Network Segmentation: Implement network segmentation to limit malware spread if exploited.

  4. Email Filtering: Use advanced email filtering to block suspicious attachments and links.

  5. User Training: Educate users on the risks of opening unsolicited attachments and links.


References


About Rescana

Rescana specializes in Continual Threat and Exposure Management (CTEM), helping customers identify, assess, and mitigate vulnerabilities to enhance their cybersecurity posture. For questions about this report or any other issues, please contact us at ops@rescana.com.

14 views0 comments

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page