On the 14th February 2023, Microsoft released a security advisory detailing CVE-2023-21716 – a Remote Code Execution (RCE) vulnerability affecting a variety of Office, SharePoint, and 365 Application versions. The vulnerability has been assigned a CVSSv3.1 score of 9.8 (CRITICAL), given the ease of exploitability and minimal victim interaction required.
Given that there is now PoC code in the wild and that RTF extensions are commonly permitted through mail gateways Prism Infosec is advising its clients which use the Microsoft Office suite that they should ensure that this issue is suitably remediated in their environments.
An unauthenticated attacker may attempt to exploit a heap corruption vulnerability in Microsoft Word’s Rich-Text Format (RTF) parser to achieve arbitrary command execution on the target machine in the event an unsuspecting victim opens a malicious .RTF document. The limitation here, however, is that an attacker may be required to successfully deliver and entice a victim to open the malicious document.
Microsoft’s security advisory has also noted that opening the malicious file may not be at all necessary and the exploit could be triggered via the Preview Pane. Recently, security researcher Joshua J. Drake published a Proof-of-Concept (PoC) script for generating .RTF files which may trigger the issue. Availability of exploit code usually leads to an influx of opportunistic attackers, as they may trivially modify an existing PoC rather than developing an exploit from scratch.
Microsoft has addressed the vulnerability on the 14th of February as part of “Patch Tuesday”, and advises that the safest way to remediate the issue is to apply the security update for the affected products. For those users who are unable to update, the following workarounds are suggested:
https://qoop.org/publications/cve-2023-21716-rtf-fonttbl.md
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716