forked from mondoohq/cnspec-policies
-
Notifications
You must be signed in to change notification settings - Fork 0
/
mondoo-microsoft-vulnerability.mql.yaml
125 lines (105 loc) · 7.68 KB
/
mondoo-microsoft-vulnerability.mql.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1
policies:
- uid: mondoo-microsoft-vulnerability
name: Microsoft Vulnerability Policy
version: 1.1.0
license: BUSL-1.1
tags:
mondoo.com/category: security
mondoo.com/platform: windows
authors:
- name: Mondoo, Inc
email: [email protected]
docs:
desc: |
## Overview
Mondoo Microsoft Vulnerability Policy checks for Windows and Microsoft Application vulnerabilities. It should be used in combination with the Platform Vulnerability Policy to identify missing patches.
### Run policy
To run this policy against a Windows system:
```bash
cnspec scan ssh [email protected]@192.168.1.1 --ask-pass -f core/mondoo-microsoft-vulnerability.mql.yaml
```
## Join the community!
Our goal is to build policies that are simple to deploy, accurate, and actionable.
If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
groups:
- title: Windows Office 2016, 2019, 2021
filters: |
asset.platform == "windows"
packages.where( name == /Office/ && name == /2016|2019|2021/ ).length > 0
checks:
- uid: mondoo-microsoft-vulnerability-office-CVE-2023-21716
- title: Windows Office
filters: |
asset.platform == "windows"
packages.where( name == /Office/ && name == /2016|2019|2021/ ).all(version.split('.')[0] == 16 && version.split('.')[2] < 16026)
checks:
- uid: mondoo-microsoft-vulnerability-office-CVE-2023-21716-workaround
- title: Windows SharePoint
filters: |
asset.platform == "windows"
packages.where( name == /SharePoint/ ).length > 0
checks:
- uid: mondoo-microsoft-vulnerability-sharepoint-CVE-2023-21716
queries:
- uid: mondoo-microsoft-vulnerability-office-CVE-2023-21716
title: Ensure Microsoft Word Remote Code Execution Vulnerability for Office is not on the system
impact: 98
mql: |
packages.where( name == /Office/ && name == /2016|2019|2021/ ).all(version.split('.')[0] == 16 && version.split('.')[2] >= 16026)
docs:
desc: |
The critical vulnerability CVE-2023-21716 is a Microsoft Word RTF Font Table Heap Corruption and allows attackers to achieve remote code execution with the victim's privileges that opens a malicious RTF document. More information can be found at (https://qoop.org/publications/cve-2023-21716-rtf-fonttbl.md)[https://qoop.org/publications/cve-2023-21716-rtf-fonttbl.md]
remediation: |
Please update your Office installation or use the workaround. More information can be found at (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716)[https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716].
refs:
- url: https://learn.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates
title: Release notes for Microsoft Office security updates
- uid: mondoo-microsoft-vulnerability-office-CVE-2023-21716-workaround
title: Block opening RTF documents (workaround)
impact: 98
mql: |
registrykey.property(path: 'HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock', name: 'RtfFiles').value == 2 || registrykey.property(path: 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\FileBlock', name: 'RtfFiles').value == 2
registrykey.property(path: 'HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock', name: 'OpenInProtectedView').value == 0 || registrykey.property(path: 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\FileBlock', name: 'OpenInProtectedView').value == 0
docs:
desc: |
The critical vulnerability CVE-2023-21716 is a Microsoft Word RTF Font Table Heap Corruption and allows attackers to achieve remote code execution with the victim's privileges that opens a malicious RTF document. More information can be found at (https://qoop.org/publications/cve-2023-21716-rtf-fonttbl.md)[https://qoop.org/publications/cve-2023-21716-rtf-fonttbl.md]
Use Microsoft Office File Block policy to prevent Office from opening RTF documents from unknown or untrusted sources.
Impact of workaround: Email messages viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. In addition, the following behavior may be experienced:
- The changes are applied to the preview pane and to open messages.
- Pictures become attachments so that they are not lost.
- Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.
remediation: |
**For Office 2013**
Run regedit.exe as Administrator and navigate to the following subkey:
`[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock]`
Set the RtfFiles DWORD value to 2.
Set the OpenInProtectedView DWORD value to 0.
**For Office 2016/ 2019/ 2021**
Run regedit.exe as Administrator and navigate to the following subkey:
`[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\FileBlock]`
Set the RtfFiles DWORD value to 2.
Set the OpenInProtectedView DWORD value to 0.
refs:
- url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716
title: Microsoft Word Remote Code Execution Vulnerability
- uid: mondoo-microsoft-vulnerability-sharepoint-CVE-2023-21716
title: Ensure Microsoft Word Remote Code Execution Vulnerability for SharePoint is not on the system
impact: 98
mql: |
packages.where( name == /SharePoint/ && name == /2016/ ).all(version.split('.')[0] == 15 && version.split('.')[2] >= 5529)
packages.where( name == /SharePoint/ && name == /2016/ ).all(version.split('.')[0] == 16 && version.split('.')[2] >= 5383)
packages.where( name == /SharePoint/ && name == /2019/ ).all(version.split('.')[0] == 16 && version.split('.')[2] >= 10395)
docs:
desc: |
The critical vulnerability CVE-2023-21716 is a Microsoft Word RTF Font Table Heap Corruption and allows attackers to achieve remote code execution with the victim's privileges that opens a malicious RTF document. More information can be found at (https://qoop.org/publications/cve-2023-21716-rtf-fonttbl.md)[https://qoop.org/publications/cve-2023-21716-rtf-fonttbl.md]
remediation: |
Please update your SharePoint installation. More information can be found at (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716)[https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716]
refs:
- url: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-sharepoint-foundation-2013-february-14-2023-kb5002347-4c58e863-2d2f-440e-b0cd-f4f8fb4bcba6
title: Description of the security update for SharePoint Foundation 2013 February 14, 2023 (KB5002347)
- url: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-sharepoint-enterprise-server-2016-language-pack-february-14-2023-kb5002325-c5c23c76-63e8-482b-ad36-4d0a999454cb
title: Description of the security update for SharePoint Enterprise Server 2016 Language Pack February 14, 2023 (KB5002325)
- url: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-sharepoint-server-2019-february-14-2023-kb5002342-abd83b9f-b088-44fb-a583-f45337d83cba
title: Description of the security update for SharePoint Server 2019 February 14, 2023 (KB5002342)