CVE-2023-21716: Microsoft Word Remote Code Execution Exploit Explained

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

As a part of Patch Tuesday, Microsoft released patches for a critical remote code execution vulnerability found in Office Word's RTF parser. CVE-2023-21716 vulnerability has a CVSS score of 9.8 (Critical) and affects a wide variety of Microsoft Office, SharePoint, and 365 Apps versions. Users are advised to update to the latest versions as soon as possible.

Picus Labs added simulations for CVE-2023-21716 vulnerability exploitation attacks to Picus Threat Library. In this blog, we explained the Microsoft Word CVE-2023-21716 remote code execution vulnerability in detail.

Learn How to Prevent Emerging Threats with '2x Prevention with BAS' Whitepaper

What is CVE-2023-21716 Vulnerability?

CVE-2023-21716 vulnerability was privately disclosed to Microsoft in November 2022, and Microsoft addressed the vulnerability in their Patch Tuesday updates on February 14, 2023. The vulnerability is a heap corruption vulnerability found in MS Office Word's RTF parser. When exploited, the vulnerability allows adversaries to execute arbitrary commands with the victim's privileges via malicious RTF files. Even loading the malicious RTF document in the Preview Pane is enough for exploitation, and the victims do not have to open the payload. Due to the low complexity and high impact of potential exploitation, the CVE-2023-21716 vulnerability has a CVSS score of 9.8 (Critical).

The following Microsoft products are affected by the CVE-2023-21716 vulnerability, and users are advised to patch their vulnerable products as soon as possible.

Affected products

Microsoft 365 Apps

for Enterprise

  • for 32-bit and 64-bit editions

Microsoft Office

Office 2019

  • for Mac, 32-bit, and 64-bit editions

Office LTSC 2021

  • for Mac 2021, 32-bit and 64-bit systems

Office Online Server

Office Web Apps Server 2013 Service Pack 1

Microsoft Word

Word 2013

  • for RT SP1, SP1 32-bit and SP1 64-bit editions

Word 2016

  • for 32-bit and 64-bit editions

Microsoft SharePoint

Enterprise Server 2013 Service Pack 1

Enterprise Server 2016

Foundation 2013 Service Pack 1

Server 2019

Server Subscription Edition

Server Subscription Edition Language Pack

If patching the vulnerable products is not an option, users may apply the following workarounds to limit potential CVE-2023-21716 exploits.

  • Configure Microsoft Outlook to read all standard mail in plaintext

  • Use Microsoft Office File Block policy to prevent MS Office from opening RTF documents from untrusted sources.

    • Change the RtfFiles DWORD value to 2 and OpenInProtectedView DWORD value to 0 for the following registries

      • Office 2013: HKCU\Software\Microsoft\Office\15.0\Word\Security\FileBlock

      • Office 2016, 2019, 2021: HKCU\Software\Microsoft\Office\16.0\Word\Security\FileBlock

Exploiting Microsoft Word CVE-2023-21716 Vulnerability

CVE-2023-21716 vulnerability is a heap corruption vulnerability found in Microsoft Word's RTF Parser. When dealing with font tables, the RTF parser loads the font ID value (\f####) and fills the upper bits of EDX with the font ID value. If a font table (\fonttbl) contains too large of a font ID value, the RTF parser corrupts the heap and causes a negative offset in the memory held in ESI. This heap corruption can then be exploited for arbitrary command execution with the victim's privileges.

open("malicious.rtf","wb").write(("{\\rtf1{\n{\\fonttbl" + "".join([ ("{\\f%dA;}\n" % i) for i in range(0,32761) ]) + "}\n{\\rtlch No Crash}\n}}\n").encode('utf-8'))

Example 1: Proof of Concept for CVE-2023-21716 Exploit

To exploit this vulnerability, adversaries create a malicious RTF file and deliver the payload via email or other means. When an unsuspecting user either opens or previews the malicious RTF file, adversaries execute arbitrary commands in the system and may potentially gain remote access to their target.

How Does Picus Help Simulate Microsoft Word CVE-2023-21716 RCE Vulnerability Exploitation Attacks?

We also strongly suggest simulating Microsoft Word CVE-2023-21716 attacks to test the effectiveness of your security controls against vulnerability exploitation attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other vulnerabilities, such as Log4Shell, Follina, ProxyShell, and ProxyNotShell, within minutes with a 14-day free trial of the Picus Platform

Picus Threat Library includes the following threats for Microsoft Word CVE-2023-21716 Attacks

Threat ID

Threat Name

Attack Module

36484

Microsoft Office Word RTF Font Table Heap Corruption Vulnerability Threat

Network Infiltration

39959

Microsoft Office Word RTF Font Table Heap Corruption Vulnerability Threat

Email Infiltration (Phishing)

Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Microsoft Word CVE-2023-21716 vulnerability exploitation attacks and other vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Microsoft Word CVE-2023-21716 vulnerability:

Security Control

Signature ID

Signature Name

Check Point NGFW

0EE5C289A

Malicious Binary.TC.3015fGer

McAfee

0x4840c900

MALWARE: Malicious File Detected by GTI

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus Security Validation Platform.