Office and Windows HTML Remote Code Execution Vulnerability (CVE-2023-36884) Mitigation

2023-07-1300:00:00

www.tenable.com

114

The remote system may be vulnerable to CVE-2023-36884 since it does not have the correct FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key mitigations applied as referenced in the vendor advisory.

An unauthenticated, remote attacker could exploit this, by using specially-crafted Microsoft Office documents, to execute arbitrary code on an affected host.

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(178275);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/17");

  script_cve_id("CVE-2023-36884");
  script_xref(name:"IAVA", value:"2023-A-0345");
  script_xref(name:"IAVA", value:"2023-A-0347");
  script_xref(name:"IAVA", value:"2023-A-0348");
  script_xref(name:"IAVA", value:"2023-A-0349");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2023/08/07");

  script_name(english:"Office and Windows HTML Remote Code Execution Vulnerability (CVE-2023-36884) Mitigation");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is potentially missing a mitigation for a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote system may be vulnerable to CVE-2023-36884 since it does not have the correct FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key
mitigations applied as referenced in the vendor advisory.

An unauthenticated, remote attacker could exploit this, by using specially-crafted Microsoft Office documents, to execute arbitrary
code on an affected host.");
  script_set_attribute(attribute:"see_also", value:"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884");
  # https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?918dd10f");
  script_set_attribute(attribute:"solution", value:
"Add the following application names to this registry key as values of type REG_DWORD with data 1:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

  Excel.exe
  Graph.exe
  MSAccess.exe
  MSPub.exe
  Powerpnt.exe
  Visio.exe
  WinProj.exe
  WinWord.exe
  Wordpad.exe");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"manual");
  script_set_attribute(attribute:"cvss_score_rationale", value:"Score based on analysis of the vendor advisory.");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/07/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/07/13");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated", "Settings/ParanoidReport");
  script_require_ports(139, 445);

  exit(0);
}

include('smb_func.inc');
include('smb_hotfixes.inc');
include('smb_hotfixes_fcheck.inc');

get_kb_item_or_exit('SMB/Registry/Enumerated');

if (report_paranoia < 2)
  audit(AUDIT_PARANOID);

var share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) 
  audit(AUDIT_SHARE_FAIL, share);

hotfix_check_fversion_init();
registry_init();
var hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);

var key_base = 'SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION\\';

var application_names = [
  'Excel.exe',
  'Graph.exe',
  'MSAccess.exe',
  'MSPub.exe',
  'Powerpnt.exe',
  'Visio.exe',
  'WinProj.exe',
  'WinWord.exe',
  'Wordpad.exe'
];

var vuln = FALSE;
var report = 'Nessus has detected that the following application names are missing a REG_DWORD value of 1 from the\n' +
  'Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key\n' +
  'as detailed in the vendor advisory: \n\n';

foreach var application_name (application_names)
{
  var key = key_base + application_name;
  var val = get_registry_value(handle:hklm, item:key);

  if (empty_or_null(val) || val != 1)
  {
    vuln = TRUE;
    report += '  ' + application_name + '\n';
  }
}
RegCloseKey(handle:hklm);

if (!vuln)
  audit(AUDIT_HOST_NOT, 'affected');

hotfix_add_report(report);

hotfix_security_hole();
hotfix_check_fversion_end();

VendorProductVersionCPE
microsoftwindowscpe:/o:microsoft:windows

Vendor	Product	Version	CPE
microsoft	windows		cpe:/o:microsoft:windows

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36884

www.nessus.org/u?918dd10f

msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884

JSON

Related for SMB_NT_MS23_JUL_CVE-2023-36884_MITIGATION.NASL