top of page

Exploiting CVE-2017-11882: Critical Microsoft Office Vulnerability Targeted by APTs

CVE Image for report on CVE-2017-11882

Executive Summary

CVE-2017-11882 is a critical remote code execution vulnerability in Microsoft Office's Equation Editor (EQNEDT32.EXE). This vulnerability allows an attacker to execute arbitrary code in the context of the current user by exploiting a memory corruption issue. The vulnerability was first disclosed in November 2017 and has been actively exploited in the wild. Various APT groups, including APT28 (Fancy Bear), have leveraged this vulnerability in targeted attacks, affecting sectors such as government, defense, and critical infrastructure across multiple countries.

Technical Information

CVE-2017-11882 is a severe vulnerability in Microsoft Office's Equation Editor, a component that has been in use since 2000. The vulnerability arises from improper handling of objects in memory, leading to a buffer overflow condition. This allows an attacker to execute arbitrary code with the same privileges as the current user. The vulnerability affects multiple versions of Microsoft Office, including Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, and Microsoft Office 2016.

The vulnerability is identified by the following details: - CVE ID: CVE-2017-11882 - Description: Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory. - CVSS v3.1 Base Score: 7.8 (High) - Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

The vulnerability is exploited by crafting a malicious document that, when opened, triggers the Equation Editor to process specially crafted equation data. This leads to a buffer overflow, allowing the attacker to execute arbitrary code. The exploit does not require any special privileges and can be executed with minimal user interaction, making it highly effective for phishing campaigns and other social engineering attacks.

Exploitation in the Wild

CVE-2017-11882 has been actively exploited in the wild since its disclosure. Threat actors have used this vulnerability to deliver various types of malware, including keyloggers, remote access trojans (RATs), and information stealers. Notable exploits and campaigns include:

  1. Agent Tesla: Threat actors have been observed exploiting CVE-2017-11882 to deliver the Agent Tesla keylogger. The malicious document, often delivered via phishing emails, exploits the vulnerability to install the malware on the victim's machine. Reference: Zscaler Blog (https://www.zscaler.com/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla)

  2. Multiple Malware Delivery: An Excel document exploiting CVE-2017-11882 was found delivering multiple malware payloads, including remote access trojans (RATs) and information stealers. Reference: Fortinet Blog (https://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882)

  3. APT Groups: Various APT groups have leveraged this vulnerability in targeted attacks. For instance, APT28 (Fancy Bear) has been known to use this exploit in their campaigns. Reference: Unit 42 Analysis (https://unit42.paloaltonetworks.com/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/)

APT Groups using this vulnerability

APT28 (Fancy Bear), a well-known Russian cyber espionage group, has been observed using CVE-2017-11882 in their campaigns. This group primarily targets government, defense, and critical infrastructure sectors across multiple countries. Their use of this vulnerability highlights the importance of patching and mitigating such critical security flaws to protect sensitive information and systems.

Affected Product Versions

The following versions of Microsoft Office are affected by CVE-2017-11882: - Microsoft Office 2007 SP3 - Microsoft Office 2010 SP2 - Microsoft Office 2013 SP1 - Microsoft Office 2016

Workaround and Mitigation

To mitigate the risk of exploitation, it is crucial to apply the patches released by Microsoft. The patches address the vulnerability by adding boundary checks to prevent buffer overflows and introducing additional security measures such as enabling ASLR (Address Space Layout Randomization). Patch Reference: Microsoft Security Guidance (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882)

As a temporary measure, disabling the Equation Editor can prevent exploitation of this vulnerability. This can be done by modifying the registry settings to disable the EQNEDT32.EXE application. Additionally, monitoring for Indicators of Compromise (IOCs) such as specific file hashes and unusual outbound connections to known C2 servers associated with malware delivered via this exploit can help in identifying potential exploitation attempts.

References

  • NVD CVE-2017-11882 (https://nvd.nist.gov/vuln/detail/cve-2017-11882)
  • Zscaler Blog on Agent Tesla (https://www.zscaler.com/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla)
  • Fortinet Blog on Multiple Malware Delivery (https://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882)
  • Unit 42 Analysis of CVE-2017-11882 (https://unit42.paloaltonetworks.com/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/)
  • Microsoft Security Guidance (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882)
  • 0patch Blog (https://0patch.blogspot.com/2017/11/did-microsoft-just-manually-patch-their.html)
  • Kaspersky Blog on CVE-2017-11882 (https://usa.kaspersky.com/blog/cve-2017-11882-exploitation-on-the-rise/28757/)

Rescana is here for you

At Rescana, we understand the critical importance of staying ahead of emerging threats and vulnerabilities. Our Continuous Threat and Exposure Management (CTEM) platform helps organizations identify, assess, and mitigate risks associated with vulnerabilities like CVE-2017-11882. By leveraging our advanced threat intelligence and proactive security measures, we ensure that your organization remains protected against the latest cyber threats. If you have any questions about this report or any other issue, please feel free to contact us at ops@rescana.com.

0 views0 comments

Comments


bottom of page