CVE-2023-21716: Microsoft Word Remote Code Execution Vulnerability

Overview

Severity

Critical (CVSS 9.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2023-Feb

Released

2023-02-14

Last Updated

2023-02-23

EPSS Score

91.42% (percentile: 99.7%)

FAQ

What is the attack vector for this vulnerability? An unauthenticated attacker could send a malicious e-mail containing an RTF payload that would allow them to gain access to execute commands within the application used to open the malicious file. Is the Preview Pane an attack vector for this vulnerability? Yes, the Preview Pane is an attack vector. I am running SharePoint Enterprise Server 2013 Service Pack 1. Do I need to install all the updates that are listed for SharePoint Enterprise Server 2013 Service Pack 1? No. Customers running SharePoint Enterprise Server 2013 Service Pack 1 should install either of the following: Cumulative update (ubersrv13). Note that this update also includes the *srvloc2013 update Both of the security updates (sts2013 AND *loc2013), which are the same updates as for Foundation Server 2013 Please note that this is a clarification of the existing servicing model for SharePoint Server 2013 and applies for all previous updates. I am running SharePoint Foundation 2013 Service Pack 1. Do I need to install all the updates that are listed for SharePoint Foundation 2013 Service Pack 1 ? Yes, customers running SharePoint Foundation 2013 Service Pack 1 should install both of the security updates. The updates can be installed in any order.

Known Exploits (7)

• Microsoft Word Remote Code Execution — added 2024-09-16T13:04:45Z
• Microsoft Word Remote Code Execution — added 2023-04-16T21:12:29Z
• Microsoft Word Remote Code Execution — added 2023-03-24T15:58:25Z
• Microsoft Word Remote Code Execution — added 2023-03-08T12:00:59Z
• Microsoft Word Remote Code Execution — added 2023-03-08T06:20:45Z
• Microsoft Word Remote Code Execution — added 2023-03-07T15:03:43Z
• Microsoft Word Remote Code Execution — added 2023-03-07T09:34:12Z

Detection & Weaponization (2 sources)

Maturity: Detection

• YARA rules: SECUINFRA_HUNT_RTF_CVE_2023_21716_Mar23
• GitHub PoC: 11 repositories

Affected Products (21)

Microsoft Office

• Microsoft Office LTSC for Mac 2021
• Microsoft Office LTSC 2021 for 32-bit editions
• Microsoft SharePoint Server Subscription Edition
• Microsoft Office LTSC 2021 for 64-bit editions
• Microsoft 365 Apps for Enterprise for 32-bit Systems
• SharePoint Server Subscription Edition Language Pack
• Microsoft Office Online Server
• Microsoft Office 2019 for Mac
• Microsoft 365 Apps for Enterprise for 64-bit Systems
• Microsoft Office 2019 for 64-bit editions
• Microsoft SharePoint Enterprise Server 2016
• Microsoft SharePoint Enterprise Server 2013 Service Pack 1
• Microsoft SharePoint Server 2019
• Microsoft Word 2016 (64-bit edition)
• Microsoft Word 2016 (32-bit edition)
• Microsoft Office 2019 for 32-bit editions
• Microsoft Office Web Apps Server 2013 Service Pack 1
• Microsoft SharePoint Foundation 2013 Service Pack 1
• Microsoft Word 2013 Service Pack 1 (32-bit editions)
• Microsoft Word 2013 RT Service Pack 1
• Microsoft Word 2013 Service Pack 1 (64-bit editions)

Security Updates (15)

• Release Notes
• 5002353
• 5002352
• 5002309
• 5002325
• 5002346
• 5002347
• 5002312
• 5002342
• 5002330
• 5002323
• 5002323
• 5002313
• 5002316
• 5002316

Acknowledgments

<a href="https://twitter.com/jduck">Joshua J. Drake</a>

Revision History

• 2023-02-14: Information published.
• 2023-02-17: Added FAQs section and added clarifying information to the Mitigations section. This is an informational change only.
• 2023-02-23: The following updates have been made: 1) In the Security Updates table, added the following versions of Microsoft Office as they are also affected by this vulnerability: Microsoft Office 2019 for 32-bit editions and Microsoft Office 2019 for 64-bit editions. Microsoft strongly recommends that customers running any of these versions of Office install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action. 2) Added additional Microsoft Office and Microsoft Outlook workaround guidance.