CVEs Aiding Initial Access for Ransomware Gangs – Microsoft Office

Microsoft Office CVEs 2017-0199, 2017-11882, 2021-40444


In this write up we explore briefly the following Microsoft CVEs – CVE 2017-0199, CVE 2017-11882, and CVE 2021-40444 – all affecting the Microsoft office suite. We take a look at the objects exploited, impact mechanisms, sample exploitations and
attack flows, detections as well as remediation.

Justification

It is important to analyze these CVEs, their exploits, and identification of when they have been possibly compromised as a large percentage of enterprise users including administrative ones use the Microsoft Office suite for data entry and processing tasks. As a result, an exploit of a vulnerability found in an office product may allow a malicious actor, such as ransomware gangs to gain a foothold in the enterprise environment.

CVEs
CVE-2017-0199
This is a remote code execution vulnerability discovered as a zero-day vulnerability that was not yet exploited in the wild.
Affected products
The following products are affected: Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1
Exploitation
This CVE can be exploited by sending a user a specially crafted file and convincing the user to open or preview it. A validated exploit can be found here at exploitDB

Delivery mechanism
Infected office files are usually delivered via phishing emails, driveby downloads, and watering hole attacks.
Impact
This vulnerability If exploited will allow remote attackers to take control of an affected system. An attacker could then install programs; view, change or delete data.

Mitigation

  • Apply the security update applicable to the versions of affected products found in your environment. The updates can be found here
  • Enforce opening of documents in protected views
  • Be suspicious of all emails with links or documents.

CVE-2017-11882
This is a vulnerability existing in Microsoft office products that allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka “Microsoft Office Memory Corruption Vulnerability”.
Affected products
Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016.
Exploitation
This vulnerability is exploited by sending a user a specially crafted file to be opened with an affected version of Microsoft Office or Microsoft WordPad software and convincing the user to open it. An exploit can be found here
Delivery mechanism
The delivery mechanism can be via the email scenario where a user is sent the specially crafted file and convinced to open it. Alternatively, a web attack scenario can also be used where the file is hosted either on an outright malicious domain or by leveraging a compromised website for victims to download the malicious documents to their endpoints.
Impact
Where this vulnerability is successfully exploited, an attacker can run arbitrary code within the context of the current user and in the situation where the current user is an administrative user then the malicious actor can take control of the affected endpoint.

Mitigation

  • Configure user accounts with the principle of least privileges. This will reduce the amount of access an attacker gets if this vulnerability is exploited.
  • Apply the recommended security update for your version of office found here.
  • Be suspicious of all emails with links or documents.

CVE-2021-40444
This is a vulnerability that allows an attacker to execute remote code via a specially crafted malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.
Exploitation
A malicious document with an ActiveX control exploiting the vulnerability is crafted and sent to a victim. The victim is then convinced to open the document which if opened in unprotected view results in remote code execution and the malicious actor having control.
Delivery mechanism
Typically as with most office exploits, this is delivered via phishing emails and watering hole attacks.
Impact
Where the vulnerability is successfully exploited the malicious actor gains remote code execution and can make changes to the endpoint (install applications, delete files, read files, etc). In the scenario where the affected user is an administrative user, the impact is greater.
Mitigation

Ensure Microsoft documents are opened in protected view

– Keep antivirus definitions and engines up to date.

– Configure least privileges on user profiles to reduce the impact of attacks.

– Disable Activex via group policy or registry editor.

– Apply the security updates found here

Conclusions and General Recommendations

From the above look at the Microsoft CVE’s, we see some common threads linking all of them together. They have a similar delivery mechanism of phishing emails or downloads from a site. Additionally, they require a user to preview or open the specially crafted document in an affected version of the product for the vulnerability to be exploited. Thus, the key takeaways from this study are as follows:

  • Ensure all systems and applications are up to date and have the latest
    patches
  • Embark on a user awareness campaign to ensure users scrutinize documents
    before they are opened. Especially documents coming from outside sources.
  • Email filtering and document scanning should be implemented on inbound
    emails.
  • Ensure anti-virus engines and definitions are up to date.

By Chris Bassey and Kasim Mustapha

One Comment

  • Reason we need to always back up our files , atleast it would reduce the effect in such case scenario right?

    Reply

Leave a Reply

Your email address will not be published.

Scroll to Top