Proof of Concept for Microsoft Word RTF Font Table Heap Corruption (CVE-2023-21716) Released

Description

Update 3/14 - Coverage section updated with available IPS signature.


FortiGuard Labs is aware of a new proof of concept released over the weekend for CVE-2023-21716 (Microsoft Word Remote Code Execution Vulnerability).


Patched in the February Microsoft Monthly Security Release, CVE-2023-21716 is a vulnerability within Microsoft Office's wwlib which allows attackers to achieve remote code execution on a targeted machine via the use of a maliciously crafted RTF document. What makes this vulnerability dangerous is that It does not require any user interaction. As a proof of concept is now available, this makes exploitation even more likely as it does not require any legwork or additional development by an attacker.


What are the technical details of the CVE-2023-21716?

The RTF parser in Microsoft Word is susceptible to a heap corruption vulnerability when dealing with a font table containing an excessive number of fonts. The font ID value is corrupted because it loads upper bits from the EDX data register which is used for arithmetic and logical operations and contains appended writes of ffff, which will then corrupt the heap via an out of bounds memory write.


What is the CVSS score for CVE-2023-21716?

The CVSS score is 9.8 (CRITICAL).


Are Patches Available?

Yes, Microsoft published patches in the February 14, 2023 Patch Tuesday update.


What Versions of Microsoft Office are Vulnerable?

Unpatched versions vulnerable are:

Microsoft Office 2019 for 32-bit editions

Microsoft Office 2019 for 64-bit editions

Microsoft Word 2013 Service Pack 1 (64-bit editions)

Microsoft Word 2013 RT Service Pack 1

Microsoft Word 2013 Service Pack 1 (32-bit editions)

Microsoft SharePoint Foundation 2013 Service Pack 1

Microsoft Office Web Apps Server 2013 Service Pack 1

Microsoft Word 2016 (32-bit edition)

Microsoft Word 2016 (64-bit edition)

Microsoft SharePoint Server 2019

Microsoft SharePoint Enterprise Server 2013 Service Pack 1

Microsoft SharePoint Enterprise Server 2016

Microsoft 365 Apps for Enterprise for 64-bit Systems

Microsoft Office 2019 for Mac

Microsoft Office Online Server

SharePoint Server Subscription Edition Language Pack

Microsoft 365 Apps for Enterprise for 32-bit Systems

Microsoft Office LTSC 2021 for 64-bit editions

Microsoft SharePoint Server Subscription Edition

Microsoft Office LTSC 2021 for 32-bit editions

Microsoft Office LTSC for Mac 2021

to CVE-2023-27176 are:

Microsoft Office 2019 for 32-bit editions

Microsoft Office 2019 for 64-bit editions

Microsoft Word 2013 Service Pack 1 (64-bit editions)

Microsoft Word 2013 RT Service Pack 1

Microsoft Word 2013 Service Pack 1 (32-bit editions)

Microsoft SharePoint Foundation 2013 Service Pack 1

Microsoft Office Web Apps Server 2013 Service Pack 1

Microsoft Word 2016 (32-bit edition)

Microsoft Word 2016 (64-bit edition)

Microsoft SharePoint Server 2019

Microsoft SharePoint Enterprise Server 2013 Service Pack 1

Microsoft SharePoint Enterprise Server 2016

Microsoft 365 Apps for Enterprise for 64-bit Systems

Microsoft Office 2019 for Mac

Microsoft Office Online Server

SharePoint Server Subscription Edition Language Pack

Microsoft 365 Apps for Enterprise for 32-bit Systems

Microsoft Office LTSC 2021 for 64-bit editions

Microsoft SharePoint Server Subscription Edition

Microsoft Office LTSC 2021 for 32-bit editions

Microsoft Office LTSC for Mac 2021


What are the Details of Coverage?

Customer running latest IPS definitions are protected against exploitation by:

MS.Office.Word.RTF.wwlib.Memory.Corruption


Any Suggested Mitigation?

FortiGuard Labs suggests that all users of affected versions of Microsoft Office patch immediately. If this is not an option, other mitigations suggested by Microsoft include reading emails in plain text only format and utilizing the Microsoft Office File Block policy, which prevents RTF documents from being previewed or opened without user interaction. Further mitigation guidance from Microsoft can be found under "Microsoft Word Remote Code Execution Vulnerability" In the APPENDIX.