[Updates released] [Zero-day] CVE-2023-36884 being targeted in the wild. No patches released yet.

[Updates released] [Zero-day] CVE-2023-36884 being targeted in the wild. No patches released yet.

Edit 1: Microsoft has released an update for Microsoft Office, providing enhanced security as a defense in depth measure. Further, Microsoft has also stated that installing this update will prevent the attack chain leading to CVE-2023-36884. 

More details can be found in ADV230003.


The mitigation steps previously mentioned below have now been removed from Microsoft's official advisory


July 2023's Patch Tuesday has witnessed 5 zero days and 9 critical vulnerabilities. Among the zero days, CVE-2023-36884 - a Remote Code Execution vulnerability is making the headlines.

About the vulnerability 

As per reports, CVE-2023-36884 is a zero day affecting Microsoft Office and Windows. Assigned a CVSS 3.1 score (base score metrics) of 8.3, this vulnerability is being actively exploited and the proof of concept (POC) has been publicly disclosed.

MSRC states, "An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file."

Microsoft has also stated that they are aware of the targeted attacks on organizations being performed by leveraging this vulnerability.

Mitigation steps 

So far, no security updates (or patches) have been released to mitigate the vulnerability. However, Microsoft has listed out manual mitigation methods to secure the systems from being exploited:

1) Usage of Microsoft Defender for Office can prevent this vulnerability from being exploited via attachments.

2) Blocking all Office applications from creating child processes can also prevent the vulnerability from being exploited in the current attack chains.

3) For organizations who are unable to use the above-mentioned protections, Microsoft has listed modifying Registry Settings as the ultimate option:

"Organizations that cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications.

Add the following application names to this registry key as values of type REG_DWORD with data 1.:"

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

  • Excel.exe

  • Graph.exe

  • MSAccess.exe

  • MSPub.exe

  • Powerpnt.exe

  • Visio.exe

  • WinProj.exe

  • WinWord.exe

  • Wordpad.exe

The mitigation steps suggested by Microsoft have been added to a script that can be downloaded from the ManageEngine website. Users can deploy this script to the required systems to prevent exploitation.


Note:
1) If the above-mentioned registry keys are not available in the systems, the vulnerability will automatically be detected in the systems. (Navigate to Threats > Zero-day Vulnerabilities on the product console.)
2) If you've already followed the Mitigation step 1 or 2, kindly exlude the detected vulnerability from the systems. 

Mitigation using Vulnerability Manager Plus


The above-mentioned mitigation step can be deployed to the systems seamlessly via a patch, right from the Vulnerability Manager Plus console.


1) Navigate to Patches > Supported Patches

2) Search for the Patch ID 110664 


Patch ID
110664
Patch Description
Mitigations for Office and Windows HTML Remote Code Execution Vulnerability
(CVE-2023-36884)

3) Select the patch and deploy it to the required systems in the network


The configuration will be created automatically and applied to the systems.


Note:

1) This patch can be found only in Supported Patches and not in Missing Patches or Installed Patches.

2) Patches once released by the vendor would be added to this forum.

 


 


                New to ADSelfService Plus?