CVE-2023-36884 - Office and Windows HTML Remote Code Execution Vulnerability - Mitigation

jgstew · July 13, 2023, 8:17pm

I haven’t validated it, but this appears to be the correct fixlet for mitigation for this CVE:

bigfix-content/fixlet/Enable FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION mitigation - Windows.bes at main · jgstew/bigfix-content · GitHub

This is not tested, not validated, my first pass at content from my reading of the mitigation settings.

Read more here: Security Update Guide - Microsoft Security Response Center

The key relevance:

18 != number of values ("Excel.exe";"Graph.exe";"MSAccess.exe";"MSPub.exe";"Powerpnt.exe";"Visio.exe";"WinProj.exe";"WinWord.exe";"Wordpad.exe") whose(it as string as integer = 1) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" of (x64 registries; x32 registries)

The actionscript:

// Block Excel.exe :
regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION]" "Excel.exe"=dword:00000001
regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION]" "Excel.exe"=dword:00000001

// Block Graph.exe:
regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION]" "Graph.exe"=dword:00000001
regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION]" "Graph.exe"=dword:00000001

// Block MSAccess.exe :
regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION]" "MSAccess.exe"=dword:00000001
regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION]" "MSAccess.exe"=dword:00000001

// Block MSPub.exe :
regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION]" "MSPub.exe"=dword:00000001
regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION]" "MSPub.exe"=dword:00000001

// Block Powerpnt.exe :
regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION]" "Powerpnt.exe"=dword:00000001
regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION]" "Powerpnt.exe"=dword:00000001

// Block Visio.exe :
regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION]" "Visio.exe"=dword:00000001
regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION]" "Visio.exe"=dword:00000001

// Block WinProj.exe :
regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION]" "WinProj.exe"=dword:00000001
regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION]" "WinProj.exe"=dword:00000001

// Block WinWord.exe :
regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION]" "WinWord.exe"=dword:00000001
regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION]" "WinWord.exe"=dword:00000001

// Block Wordpad.exe :
regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION]" "Wordpad.exe"=dword:00000001
regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION]" "Wordpad.exe"=dword:00000001

The settings get set in both the 32bit and 64bit registry locations, so while there are 9 in each, there are 18 total.

Mitigation

From a system where the fixlet was deployed:

Q: number of values ("Excel.exe";"Graph.exe";"MSAccess.exe";"MSPub.exe";"Powerpnt.exe";"Visio.exe";"WinProj.exe";"WinWord.exe";"Wordpad.exe") whose(it as string as integer = 1) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION" of (x64 registries; x32 registries)
A: 18
T: 0.254 ms
I: singular integer

I’m not really certain how to test that the mitigation is in place correctly and effective, but this seems correct according to the Microsoft spec.

Details in NVD are not yet available: NVD - CVE-2023-36884

nicksberger · July 13, 2023, 9:11pm

Based on feedback from Microsoft, ‘customers who use Microsoft 365 Apps (Versions 2302 and later) are protected from exploitation of the vulnerability via Office …’ as such we are now only blocking child process execution for Wordpad.exe as that is not bundled into the Office suite.

Reporting for mitigated hosts -

exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION” whose (exists value “Wordpad.exe” whose (it =1) of it) of registry AND exists ((values “DisplayVersion” whose ((it =“16.0” and it >= “16.0.16130.20644”) of (it as string as version)) of it as string) of keys whose (value “DisplayName” of it as string as lowercase contains “365”) of key “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of native registry)

trn · July 14, 2023, 8:48am

HKEY_LOCAL_MACHINE\SOFTWARE\Policies doesn’t get 32-bit redirection, so just the regset commands will work on 32- & 64-bit machines and the relevance looking at both registries will find 18 values

Shahban · July 14, 2023, 4:51pm

do we have any patch for this ?

nicksberger · July 14, 2023, 6:09pm

That’s a question for Microsoft

jgstew · July 16, 2023, 2:38am

Not yet, thus the mitigation content provided above.

I think this mitigation content is being considered for official publication in the BigFix Patch sites but I don’t know if that has been decided yet.

If it is published, it should show up from this session relevance: (name of it, name of site of it) of bes fixlets whose(exists cve id lists whose(it contains "2023-36884") of it)

But for now, you can use the mitigation content on GitHub.

Ah, this makes sense. I don’t know that I ever tested this to see if that was true before, but I thought better safe than sorry. This does suggest I need 1/2 the commands, but also I only need to check 1 of the registry locations instead of both, which would then make the same relevance work correctly on 32bit windows, where at the moment it would only work on 64bit windows.

trn · July 16, 2023, 11:39am

I only remembered this when I tested my backout, which simply does a regdeleyekey, and the accompanying regdeleyekey64 failed.

And I had already wrapped the 64 bit OS tests into my scripts

DerrickD · July 21, 2023, 4:47pm

Looks like HCL put out a registry patch for this a couple days ago.