Executive Summary
CVE-2023-36884 is a high-severity Windows Search Remote Code Execution (RCE) vulnerability that affects various versions of Microsoft Office and Windows. This vulnerability allows attackers to execute arbitrary code on the affected system by convincing the victim to open a specially crafted Microsoft Office document. The vulnerability has been actively exploited in the wild, making it a critical issue for organizations using affected Microsoft products. Notably, Russian APT groups, specifically Storm-0978 (also known as the RomCom Group), have been linked to attacks exploiting this vulnerability. These groups have targeted sectors in the United States and Europe, leveraging the vulnerability as part of a larger attack chain to bypass security features and execute remote code.
Technical Information
CVE-2023-36884 is a Windows Search Remote Code Execution vulnerability with a CVSS v3.1 Base Score of 7.5, indicating high severity. The vulnerability is identified by the vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, which means it can be exploited remotely, requires user interaction, and has a high impact on confidentiality, integrity, and availability.
The vulnerability affects the following products: - Microsoft Office 2019 (x64 and x86) - Microsoft Office 2021 (LTSC, x64 and x86) - Microsoft Word 2013 SP1 - Microsoft Word 2016 - Windows 10 (various versions up to 22H2)
The exploitation process involves sending a specially crafted Microsoft Office document to the victim via email or instant messaging. When the victim opens the document, the malicious code is executed, allowing the attacker to gain control over the affected system. This vulnerability is particularly dangerous because it can be exploited with minimal user interaction, making it an attractive target for attackers.
Exploitation in the Wild
Microsoft has confirmed that CVE-2023-36884 has been exploited in targeted attacks. The exploitation involves sending a specially crafted Microsoft Office document to the victim via email or instant messaging. When the victim opens the document, the malicious code is executed, allowing the attacker to gain control over the affected system.
Notable exploits and campaigns include: - APT Group Involvement: The vulnerability has been linked to attacks by Russian APT groups, specifically Storm-0978 (also known as the RomCom Group). These groups have used the vulnerability as part of a larger attack chain to bypass security features and execute remote code. - Proof of Concept (PoC): A PoC for this vulnerability has been published by various security researchers, demonstrating the ease with which the vulnerability can be exploited.
Exploit references can be found at the following links: - Microsoft Security Response Center: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 - CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog - GitHub - Maxwitat: https://github.com/Maxwitat/CVE-2023-36884-Scripts-for-Intune-Remediation-SCCM-Compliance-Baseline - GitHub - jakabakos: https://github.com/jakabakos/CVE-2023-36884-MS-Office-HTML-RCE - GitHub - ridsoliveira: https://github.com/ridsoliveira/Fix-CVE-2023-36884 - GitHub - tarraschk: https://github.com/tarraschk/CVE-2023-36884-Checker - GitHub - zerosorai: https://github.com/zerosorai/CVE-2023-36884
APT Groups using this vulnerability
The Storm-0978 (RomCom Group) has been identified as actively exploiting CVE-2023-36884. This group is known for its sophisticated cyber-espionage campaigns targeting sectors in the United States and Europe. By leveraging this vulnerability, they have been able to bypass security features and execute remote code, gaining unauthorized access to sensitive information and systems.
Affected Product Versions
The following product versions are affected by CVE-2023-36884: - Microsoft Office 2019 (x64 and x86) - Microsoft Office 2021 (LTSC, x64 and x86) - Microsoft Word 2013 SP1 - Microsoft Word 2016 - Windows 10 (various versions up to 22H2)
Workaround and Mitigation
Microsoft has released security patches to address CVE-2023-36884. Organizations are strongly advised to apply these patches immediately. In addition to patching, the following mitigation strategies can help reduce the risk of exploitation:
Disabling Windows Search can mitigate the risk of exploitation if it is not required. Implementing email and web filtering can block malicious documents and links. Educating users about the risks of opening unsolicited documents and emails is also crucial.
Specific mitigation steps include:
1. Microsoft Defender for Office: Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.
2. Attack Surface Reduction Rule: The use of the "Block all Office applications from creating child processes" Attack Surface Reduction Rule will prevent the vulnerability from being exploited.
3. Registry Key Modifications: Organizations can add specific application names to the registry key
A PowerShell script has been provided by NinjaOne to automate the registry changes required to mitigate CVE-2023-36884. The script can be used to deploy the mitigation remotely and at scale. The script is available for download on the NinjaOne website.
References
For more detailed information, please refer to the following sources: - Microsoft Security Response Center: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 - CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog - GitHub - Maxwitat: https://github.com/Maxwitat/CVE-2023-36884-Scripts-for-Intune-Remediation-SCCM-Compliance-Baseline - GitHub - jakabakos: https://github.com/jakabakos/CVE-2023-36884-MS-Office-HTML-RCE - GitHub - ridsoliveira: https://github.com/ridsoliveira/Fix-CVE-2023-36884 - GitHub - tarraschk: https://github.com/tarraschk/CVE-2023-36884-Checker - GitHub - zerosorai: https://github.com/zerosorai/CVE-2023-36884
Rescana is here for you
At Rescana, we understand the critical importance of protecting your organization from emerging threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help you stay ahead of vulnerabilities like CVE-2023-36884. By continuously monitoring your systems and providing actionable insights, we enable you to proactively manage your cybersecurity posture. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com.
コメント