Update 3/14 – Coverage section updated with available IPS signature.FortiGuard Labs is aware of a new proof of concept released over the weekend for CVE-2023-21716 (Microsoft Word Remote Code Execution Vulnerability).Patched in the February Microsoft Monthly Security Release, CVE-2023-21716 is a vulnerability within Microsoft Office’s wwlib which allows attackers to achieve remote code execution on a targeted machine via the use of a maliciously crafted RTF document. What makes this vulnerability dangerous is that It does not require any user interaction. As a proof of concept is now available, this makes exploitation even more likely as it does not require any legwork or additional development by an attacker.What are the technical details of the CVE-2023-21716?The RTF parser in Microsoft Word is susceptible to a heap corruption vulnerability when dealing with a font table containing an excessive number of fonts. The font ID value is corrupted because it loads upper bits from the EDX data register which is used for arithmetic and logical operations and contains appended writes of ffff, which will then corrupt the heap via an out of bounds memory write.What is the CVSS score for CVE-2023-21716?The CVSS score is 9.8 (CRITICAL).Are Patches Available?Yes, Microsoft published patches in the February 14, 2023 Patch Tuesday update.What Versions of Microsoft Office are Vulnerable?Unpatched versions vulnerable are:Microsoft Office 2019 for 32-bit editionsMicrosoft Office 2019 for 64-bit editionsMicrosoft Word 2013 Service Pack 1 (64-bit editions)Microsoft Word 2013 RT Service Pack 1Microsoft Word 2013 Service Pack 1 (32-bit editions)Microsoft SharePoint Foundation 2013 Service Pack 1Microsoft Office Web Apps Server 2013 Service Pack 1Microsoft Word 2016 (32-bit edition)Microsoft Word 2016 (64-bit edition)Microsoft SharePoint Server 2019Microsoft SharePoint Enterprise Server 2013 Service Pack 1Microsoft SharePoint Enterprise Server 2016Microsoft 365 Apps for Enterprise for 64-bit SystemsMicrosoft Office 2019 for MacMicrosoft Office Online ServerSharePoint Server Subscription Edition Language PackMicrosoft 365 Apps for Enterprise for 32-bit SystemsMicrosoft Office LTSC 2021 for 64-bit editionsMicrosoft SharePoint Server Subscription EditionMicrosoft Office LTSC 2021 for 32-bit editionsMicrosoft Office LTSC for Mac 2021to CVE-2023-27176 are:Microsoft Office 2019 for 32-bit editionsMicrosoft Office 2019 for 64-bit editionsMicrosoft Word 2013 Service Pack 1 (64-bit editions)Microsoft Word 2013 RT Service Pack 1Microsoft Word 2013 Service Pack 1 (32-bit editions)Microsoft SharePoint Foundation 2013 Service Pack 1Microsoft Office Web Apps Server 2013 Service Pack 1Microsoft Word 2016 (32-bit edition)Microsoft Word 2016 (64-bit edition)Microsoft SharePoint Server 2019Microsoft SharePoint Enterprise Server 2013 Service Pack 1Microsoft SharePoint Enterprise Server 2016Microsoft 365 Apps for Enterprise for 64-bit SystemsMicrosoft Office 2019 for MacMicrosoft Office Online ServerSharePoint Server Subscription Edition Language PackMicrosoft 365 Apps for Enterprise for 32-bit SystemsMicrosoft Office LTSC 2021 for 64-bit editionsMicrosoft SharePoint Server Subscription EditionMicrosoft Office LTSC 2021 for 32-bit editionsMicrosoft Office LTSC for Mac 2021What are the Details of Coverage?Customer running latest IPS definitions are protected against exploitation by:MS.Office.Word.RTF.wwlib.Memory.CorruptionAny Suggested Mitigation?FortiGuard Labs suggests that all users of affected versions of Microsoft Office patch immediately. If this is not an option, other mitigations suggested by Microsoft include reading emails in plain text only format and utilizing the Microsoft Office File Block policy, which prevents RTF documents from being previewed or opened without user interaction. Further mitigation guidance from Microsoft can be found under “Microsoft Word Remote Code Execution Vulnerability” In the APPENDIX.
