Published: July 13, 2023
CVE-2023-36884 (CVSS score – 8.1) is an Office and Windows HTML Remote Code Execution Vulnerability disclosed by Microsoft on July 11, 2023, as part of its latest Patch Tuesday, comprising 132 vulnerabilities. This vulnerability is being actively exploited by a threat actor known as Storm-0978. The exploit attempts to perform remote code execution using specially crafted Microsoft Office documents. However, for the exploit to be successful, the attacker must persuade the victims to open the malicious Office document. Currently, no patch has been released for this vulnerability, but mitigations are available. Microsoft recommends mitigating this vulnerability via Attack Surface Reduction Rules or by performing registry key modifications to disable certain features in Windows.
The CVE-2023-36884 vulnerability affects a total of 41 products including multiple versions of Windows, Windows Server, and Office, and can be successfully exploited using a specially crafted Word document that would allow an unauthorised actor to achieve RCE capabilities in the context of their victim, if the victim can be convinced to open the malicious file. This vulnerability is being actively exploited by a threat actor known as Storm-0978 in targeted attacks against defense and government entities in Europe and North America. The threat actor employed lures related to the Ukraine World Congress and exploited this vulnerability. The effect of this vulnerability is that it enables attackers to perform espionage and ransomware operations. The Storm-0978 group used the RomCom variant for espionage, and Underground Ransomware was deployed for ransomware operations. Microsoft says the CVE-2023-36884 bug was exploited in recent attacks targeting organizations attending the NATO Summit in Vilnius, Lithuania.
This vulnerability affects a total of 41 products including multiple versions of Windows, Windows Server, and Office. The list of products effected can be found in the Security Updates section specified in the Microsoft Vulnerability bulletin board – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 .
Mitigations and Workarounds
There is no patch currently available from Microsoft for this vulnerability.
- Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.
- In current attack chains, the use of the Block all Office applications from creating child processes Attack Surface Reduction Rule will prevent the vulnerability from being exploited.
- Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE _NAVIGATION registry key to avoid exploitation. Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. Add the following application names to this registry key as values of type REG_DWORD with data 1.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\ FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION
Here are some best practices to prevent the CVE-2023-36884 vulnerability from being exploited. Conduct regular backup practices and keep those backups offline or in a separate network. Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. Mitigate the vulnerability via Attack Surface Reduction Rules or by performing registry key modifications to disable certain features in Windows. In current attack chains, the use of the Attack Surface Reduction Rule of “Block all Office applications from creating child processes” will prevent the vulnerability from being exploited.
Netsurion Detection and Response
Netsurion researchers are continuously monitoring the exploits of this vulnerability. Our security analysts will be adding the IOCs (Indicators of Compromise – the hashes of malicious files and the IP addresses) to Netsurion’s Threat Center, our Threat Intelligence Platform. This will help detect malicious files and suspicious Command and Control communications to malicious IP addresses to detect the exploitation of this vulnerability. Netsurion’s vulnerability management system will also detect the vulnerability (CVE-2023-36884) for customers who have subscribed to Netsurion Vulnerability Management.