In this post, we are covering a high-severity (remote code execution) RCE vulnerability in Office and Windows HTML. The vulnerability tracked under the identifier CVE-2023-36884 has been given a CVSSv3 score of 8.3 out of 10 on the CVSS scale and is actively being exploited as a zero-day vulnerability. Microsoft covered this vulnerability in its July Patch Tuesday report as one of the actively exploited vulnerabilities. Microsoft has yet to release patches for this vulnerability, but they have provided mitigation guidance to help users avoid exploitation. Since it’s being actively exploited in the wild and exploits were made available for the public, we urge you to fix or mitigate the vulnerability. Let’s see how to mitigate CVE-2023-36884, a high-severity RCE vulnerability in Office and Windows HTML.
Summary of CVE-2023-36884
- CVE ID: CVE-2023-36884
- CVSS: 8.3
- Severity: High
- Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2023-36884 is a Remote Code Execution (RCE) vulnerability affecting Microsoft Windows and Office. It has been given a CVSSv3 score of 8.3 and is actively being exploited as a zero-day vulnerability. Microsoft has yet to release patches for this vulnerability, but they have provided mitigation guidance to help users avoid exploitation. According to Microsoft researchers, the exploitation of CVE-2023-36884 has been linked to a threat actor known as Storm-0978, also referred to as DEV-0978 or RomCom. This threat actor, believed to be based in Russia, is known for ransomware attacks and intelligence-gathering operations. The targeted regions include Ukraine, North America, and Europe, with the telecommunications and finance industries being the primary targets.
This vulnerability allows an attacker to execute arbitrary code in the context of the victim merely by tricking the victim into opening a specially crafted Microsoft Office document. Microsoft discovered this issue when investigating a phishing campaign conducted by a threat actor known as Storm-0978. This actor primarily targeted defense and government entities in North America and Europe. In addition, this same vulnerability was utilized in separate ransomware attacks.
How to Mitigate CVE-2023-36884- A High Severity RCE Vulnerability in Office and Windows HTML?
At the time of publishing this post, there is no official patch available. Microsoft is actively investigating the vulnerability and will provide an update or patch as necessary.
Microsoft has published a few mitigation techniques to lower the attack surface and recommended users to apply these mitigation tips until there is an official patch. Additionally, Microsoft added that its Defender product is capable enough to prevent the execution of Office documents that shipped with the exploit. We recommend starting using Defender service not only to be protected from this vulnerability, also to be protected from future attacks.
It’s also a strategic idea to implement the “Block all Office applications from creating child processes” Attack Surface Reduction Rule to prevent exploitation. If the above measures can’t be utilized, the following registry changes can be made:
You can add the application names (Excel.exe, Graph.exe, MSAccess.exe, MSPub.exe, PowerPoint.exe, Visio.exe, WinProj.exe, WinWord.exe, Wordpad.exe) to the registry key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION as values of type REG_DWORD with data 1.
Please note that while these settings can mitigate exploitation, they could affect regular functionality for certain use cases related to these applications. So, it is strongly advised to test these changes before deploying them widely.
Automate the above-recommended mitigation using either a SCCM or a PowerShell script. If you have good PowerShell skills, you can create your own, or else you can use this script created by ninjaOne. This script is not exclusive to any users and can be used by anyone. However, as Microsoft advises, this fix should be deployed on test machines before a wider deployment.
To revert the changes, use the -Undo parameter in the script, or apply the changes to specific Office products using the -OfficeProducts parameter.
This is a complex and critical vulnerability. Until a formal patch is released by Microsoft, these steps should be taken to mitigate risks as much as possible. It’s also crucial to have a strong and reliable backup system in place, in case of successful exploitation.