The remote system may be vulnerable to CVE-2023-36884 since it does not have the correct FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key mitigations applied as referenced in the vendor advisory.
An unauthenticated, remote attacker could exploit this, by using specially-crafted Microsoft Office documents, to execute arbitrary code on an affected host.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(178275);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/17");
script_cve_id("CVE-2023-36884");
script_xref(name:"IAVA", value:"2023-A-0345");
script_xref(name:"IAVA", value:"2023-A-0347");
script_xref(name:"IAVA", value:"2023-A-0348");
script_xref(name:"IAVA", value:"2023-A-0349");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2023/08/07");
script_name(english:"Office and Windows HTML Remote Code Execution Vulnerability (CVE-2023-36884) Mitigation");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is potentially missing a mitigation for a remote code execution vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote system may be vulnerable to CVE-2023-36884 since it does not have the correct FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key
mitigations applied as referenced in the vendor advisory.
An unauthenticated, remote attacker could exploit this, by using specially-crafted Microsoft Office documents, to execute arbitrary
code on an affected host.");
script_set_attribute(attribute:"see_also", value:"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884");
# https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?918dd10f");
script_set_attribute(attribute:"solution", value:
"Add the following application names to this registry key as values of type REG_DWORD with data 1:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION
Excel.exe
Graph.exe
MSAccess.exe
MSPub.exe
Powerpnt.exe
Visio.exe
WinProj.exe
WinWord.exe
Wordpad.exe");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H");
script_set_attribute(attribute:"cvss_score_source", value:"manual");
script_set_attribute(attribute:"cvss_score_rationale", value:"Score based on analysis of the vendor advisory.");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/07/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/07/13");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated", "Settings/ParanoidReport");
script_require_ports(139, 445);
exit(0);
}
include('smb_func.inc');
include('smb_hotfixes.inc');
include('smb_hotfixes_fcheck.inc');
get_kb_item_or_exit('SMB/Registry/Enumerated');
if (report_paranoia < 2)
audit(AUDIT_PARANOID);
var share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share))
audit(AUDIT_SHARE_FAIL, share);
hotfix_check_fversion_init();
registry_init();
var hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
var key_base = 'SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION\\';
var application_names = [
'Excel.exe',
'Graph.exe',
'MSAccess.exe',
'MSPub.exe',
'Powerpnt.exe',
'Visio.exe',
'WinProj.exe',
'WinWord.exe',
'Wordpad.exe'
];
var vuln = FALSE;
var report = 'Nessus has detected that the following application names are missing a REG_DWORD value of 1 from the\n' +
'Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key\n' +
'as detailed in the vendor advisory: \n\n';
foreach var application_name (application_names)
{
var key = key_base + application_name;
var val = get_registry_value(handle:hklm, item:key);
if (empty_or_null(val) || val != 1)
{
vuln = TRUE;
report += ' ' + application_name + '\n';
}
}
RegCloseKey(handle:hklm);
if (!vuln)
audit(AUDIT_HOST_NOT, 'affected');
hotfix_add_report(report);
hotfix_security_hole();
hotfix_check_fversion_end();