Lucene search

HistoryJul 13, 2023 - 12:00 a.m.

Office and Windows HTML Remote Code Execution Vulnerability (CVE-2023-36884) Mitigation

2023-07-1300:00:00

www.tenable.com

116

windows

html

remote code execution

vulnerability

cve-2023-36884

mitigation

microsoft office

registry key

cross protocol file navigation

unauthenticated

attack

microsoft excel

microsoft graph

microsoft access

microsoft publisher

microsoft word

microsoft wordpad

JSON

The remote system may be vulnerable to CVE-2023-36884 since it does not have the correct FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key mitigations applied as referenced in the vendor advisory.

An unauthenticated, remote attacker could exploit this, by using specially-crafted Microsoft Office documents, to execute arbitrary code on an affected host.

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(178275);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/17");

  script_cve_id("CVE-2023-36884");
  script_xref(name:"IAVA", value:"2023-A-0345");
  script_xref(name:"IAVA", value:"2023-A-0347");
  script_xref(name:"IAVA", value:"2023-A-0348");
  script_xref(name:"IAVA", value:"2023-A-0349");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2023/08/07");

  script_name(english:"Office and Windows HTML Remote Code Execution Vulnerability (CVE-2023-36884) Mitigation");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is potentially missing a mitigation for a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote system may be vulnerable to CVE-2023-36884 since it does not have the correct FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key
mitigations applied as referenced in the vendor advisory.

An unauthenticated, remote attacker could exploit this, by using specially-crafted Microsoft Office documents, to execute arbitrary
code on an affected host.");
  script_set_attribute(attribute:"see_also", value:"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884");
  # https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?918dd10f");
  script_set_attribute(attribute:"solution", value:
"Add the following application names to this registry key as values of type REG_DWORD with data 1:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

  Excel.exe
  Graph.exe
  MSAccess.exe
  MSPub.exe
  Powerpnt.exe
  Visio.exe
  WinProj.exe
  WinWord.exe
  Wordpad.exe");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"manual");
  script_set_attribute(attribute:"cvss_score_rationale", value:"Score based on analysis of the vendor advisory.");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/07/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/07/13");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated", "Settings/ParanoidReport");
  script_require_ports(139, 445);

  exit(0);
}

include('smb_func.inc');
include('smb_hotfixes.inc');
include('smb_hotfixes_fcheck.inc');

get_kb_item_or_exit('SMB/Registry/Enumerated');

if (report_paranoia < 2)
  audit(AUDIT_PARANOID);

var share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) 
  audit(AUDIT_SHARE_FAIL, share);

hotfix_check_fversion_init();
registry_init();
var hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);

var key_base = 'SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION\\';

var application_names = [
  'Excel.exe',
  'Graph.exe',
  'MSAccess.exe',
  'MSPub.exe',
  'Powerpnt.exe',
  'Visio.exe',
  'WinProj.exe',
  'WinWord.exe',
  'Wordpad.exe'
];

var vuln = FALSE;
var report = 'Nessus has detected that the following application names are missing a REG_DWORD value of 1 from the\n' +
  'Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key\n' +
  'as detailed in the vendor advisory: \n\n';

foreach var application_name (application_names)
{
  var key = key_base + application_name;
  var val = get_registry_value(handle:hklm, item:key);

  if (empty_or_null(val) || val != 1)
  {
    vuln = TRUE;
    report += '  ' + application_name + '\n';
  }
}
RegCloseKey(handle:hklm);

if (!vuln)
  audit(AUDIT_HOST_NOT, 'affected');

hotfix_add_report(report);

hotfix_security_hole();
hotfix_check_fversion_end();

VendorProductVersionCPE
microsoftwindowscpe:/o:microsoft:windows

Vendor	Product	Version	CPE
microsoft	windows		cpe:/o:microsoft:windows

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36884

www.nessus.org/u?918dd10f

msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884

JSON

Related for SMB_NT_MS23_JUL_CVE-2023-36884_MITIGATION.NASL