top of page

Exploited Windows Search RCE Vulnerability CVE-2023-36884 Targets Microsoft Office and Windows Systems

CVE Image for report on CVE-2023-36884

Executive Summary

CVE-2023-36884 is a high-severity Windows Search Remote Code Execution (RCE) vulnerability that affects various versions of Microsoft Office and Windows. This vulnerability allows attackers to execute arbitrary code on the affected system by convincing the victim to open a specially crafted Microsoft Office document. The vulnerability has been actively exploited in the wild, making it a critical issue for organizations using affected Microsoft products. Notably, Russian APT groups, specifically Storm-0978 (also known as the RomCom Group), have been linked to attacks exploiting this vulnerability. These groups have targeted sectors in the United States and Europe, leveraging the vulnerability as part of a larger attack chain to bypass security features and execute remote code.

Technical Information

CVE-2023-36884 is a Windows Search Remote Code Execution vulnerability with a CVSS v3.1 Base Score of 7.5, indicating high severity. The vulnerability is identified by the vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, which means it can be exploited remotely, requires user interaction, and has a high impact on confidentiality, integrity, and availability.

The vulnerability affects the following products: - Microsoft Office 2019 (x64 and x86) - Microsoft Office 2021 (LTSC, x64 and x86) - Microsoft Word 2013 SP1 - Microsoft Word 2016 - Windows 10 (various versions up to 22H2)

The exploitation process involves sending a specially crafted Microsoft Office document to the victim via email or instant messaging. When the victim opens the document, the malicious code is executed, allowing the attacker to gain control over the affected system. This vulnerability is particularly dangerous because it can be exploited with minimal user interaction, making it an attractive target for attackers.

Exploitation in the Wild

Microsoft has confirmed that CVE-2023-36884 has been exploited in targeted attacks. The exploitation involves sending a specially crafted Microsoft Office document to the victim via email or instant messaging. When the victim opens the document, the malicious code is executed, allowing the attacker to gain control over the affected system.

Notable exploits and campaigns include: - APT Group Involvement: The vulnerability has been linked to attacks by Russian APT groups, specifically Storm-0978 (also known as the RomCom Group). These groups have used the vulnerability as part of a larger attack chain to bypass security features and execute remote code. - Proof of Concept (PoC): A PoC for this vulnerability has been published by various security researchers, demonstrating the ease with which the vulnerability can be exploited.

Exploit references can be found at the following links: - Microsoft Security Response Center: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 - CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog - GitHub - Maxwitat: https://github.com/Maxwitat/CVE-2023-36884-Scripts-for-Intune-Remediation-SCCM-Compliance-Baseline - GitHub - jakabakos: https://github.com/jakabakos/CVE-2023-36884-MS-Office-HTML-RCE - GitHub - ridsoliveira: https://github.com/ridsoliveira/Fix-CVE-2023-36884 - GitHub - tarraschk: https://github.com/tarraschk/CVE-2023-36884-Checker - GitHub - zerosorai: https://github.com/zerosorai/CVE-2023-36884

APT Groups using this vulnerability

The Storm-0978 (RomCom Group) has been identified as actively exploiting CVE-2023-36884. This group is known for its sophisticated cyber-espionage campaigns targeting sectors in the United States and Europe. By leveraging this vulnerability, they have been able to bypass security features and execute remote code, gaining unauthorized access to sensitive information and systems.

Affected Product Versions

The following product versions are affected by CVE-2023-36884: - Microsoft Office 2019 (x64 and x86) - Microsoft Office 2021 (LTSC, x64 and x86) - Microsoft Word 2013 SP1 - Microsoft Word 2016 - Windows 10 (various versions up to 22H2)

Workaround and Mitigation

Microsoft has released security patches to address CVE-2023-36884. Organizations are strongly advised to apply these patches immediately. In addition to patching, the following mitigation strategies can help reduce the risk of exploitation:

Disabling Windows Search can mitigate the risk of exploitation if it is not required. Implementing email and web filtering can block malicious documents and links. Educating users about the risks of opening unsolicited documents and emails is also crucial.

Specific mitigation steps include: 1. Microsoft Defender for Office: Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability. 2. Attack Surface Reduction Rule: The use of the "Block all Office applications from creating child processes" Attack Surface Reduction Rule will prevent the vulnerability from being exploited. 3. Registry Key Modifications: Organizations can add specific application names to the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION
as values of type
REG_DWORD
with data
1
.

A PowerShell script has been provided by NinjaOne to automate the registry changes required to mitigate CVE-2023-36884. The script can be used to deploy the mitigation remotely and at scale. The script is available for download on the NinjaOne website.

References

For more detailed information, please refer to the following sources: - Microsoft Security Response Center: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 - CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog - GitHub - Maxwitat: https://github.com/Maxwitat/CVE-2023-36884-Scripts-for-Intune-Remediation-SCCM-Compliance-Baseline - GitHub - jakabakos: https://github.com/jakabakos/CVE-2023-36884-MS-Office-HTML-RCE - GitHub - ridsoliveira: https://github.com/ridsoliveira/Fix-CVE-2023-36884 - GitHub - tarraschk: https://github.com/tarraschk/CVE-2023-36884-Checker - GitHub - zerosorai: https://github.com/zerosorai/CVE-2023-36884

Rescana is here for you

At Rescana, we understand the critical importance of protecting your organization from emerging threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help you stay ahead of vulnerabilities like CVE-2023-36884. By continuously monitoring your systems and providing actionable insights, we enable you to proactively manage your cybersecurity posture. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com.

2 views0 comments

コメント

コメントが読み込まれませんでした。
技術的な問題があったようです。お手数ですが、再度接続するか、ページを再読み込みしてださい。
bottom of page