Background & Context

WordPad is a word processor software included with Windows 95 and later, until Windows 11. Similarly to its predecessor Microsoft Write, it is a basic word processor, positioned as more advanced than the Notepad text editor by supporting rich text editing, but with a subset of the functionality of Microsoft Word.

Earlier versions primarily supported a subset of the Rich Text Format (RTF, .rtf) and Microsoft Word 6.0 formats, although support for these formats were removed beginning with Windows XP Service Pack 2 and Windows Vista respectively for security reasons. Current versions are capable of saving Office Open XML (OOXML, .docx) and OpenDocument Text (.odt) files.

Vulnerability Summary

The WordPad application in Microsoft Windows can be exploited in order to improperly access sensitive NTLM Hashes. The NTLM hash is the cryptographic format in which user passwords are stored on Windows systems. NTLM hashes are stored in the SAM (security account manager) or NTDS file of a domain controller. They are a fundamental part of the mechanism used to authenticate a user through different communications protocols.

Impact If Exploited

Exploit is possible in one of two ways:

• One way is to log in as a rogue or compromised user, and then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
• The other way is to trick a victim into opening a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

If an attacker is able to gain NTLM hashes, they may be able to perform privilege escalation attacks and gain access to unauthorised user contexts, from which they could execute arbitrary code or commands on the system.

NOTE: This vulnerability has been reported by the CISA (America’s Cyber Defense Agency) to be known to be currently actively exploited in the wild as of 2023-10-11. Prioritisation should be given to remediation in any impacted environment.

Affected Product Versions

• Windows Server 2008 R2 for x64-based Systems Service Pack 1 prior to build 6.1.7601.26769
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 prior to build 6.1.7601.26769
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) prior to build 6.0.6003.22317
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) prior to build 6.0.6003.22317
• Windows Server 2008 for x64-based Systems Service Pack 2 prior to build 6.0.6003.22317
• Windows Server 2008 for x64-based Systems Service Pack 2 prior to build 6.0.6003.22317
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) prior to build 6.0.6003.22317
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) prior to build 6.0.6003.22317
• Windows Server 2008 for 32-bit Systems Service Pack 2 prior to build 6.0.6003.22317
• Windows Server 2008 for 32-bit Systems Service Pack 2 prior to build 6.0.6003.22317
• Windows Server 2016 (Server Core installation) prior to build 10.0.14393.6351
• Windows Server 2016 prior to build 10.0.14393.6351
• Windows 10 Version 1607 for x64-based Systems prior to build 10.0.14393.6351
• Windows Server 2019 prior to build 10.0.17763.4974
• Windows 10 Version 1809 for ARM64-based Systems prior to build 10.0.17763.4974
• Windows 10 Version 1809 for x64-based Systems prior to build 10.0.17763.4974
• Windows 10 Version 1809 for 32-bit Systems prior to build 10.0.17763.4974
• Windows 10 Version 1607 for 32-bit Systems prior to build 10.0.14393.6351
• Windows 10 for x64-based Systems prior to build 10.0.10240.20232
• Windows 10 for 32-bit Systems prior to build 10.0.10240.20232
• Windows 10 Version 22H2 for 32-bit Systems prior to build 10.0.19045.3570
• Windows 10 Version 22H2 for ARM64-based Systems prior to build 10.0.19045.3570
• Windows 10 Version 22H2 for x64-based Systems prior to build 10.0.19045.3570
• Windows 11 Version 22H2 for x64-based Systems prior to build 10.0.22621.2428
• Windows 11 Version 22H2 for ARM64-based Systems prior to build 10.0.22621.2428
• Windows 10 Version 21H2 for x64-based Systems prior to build 10.0.19041.3570
• Windows 10 Version 21H2 for ARM64-based Systems prior to build 10.0.19041.3570
• Windows 10 Version 21H2 for 32-bit Systems prior to build 10.0.19041.3570
• Windows 11 version 21H2 for ARM64-based Systems prior to build 10.0.22000.2538
• Windows 11 version 21H2 for x64-based Systems prior to build 10.0.22000.2538
• Windows Server 2022 (Server Core installation) prior to build 10.0.20348.2031
• Windows Server 2022 prior to build 10.0.20348.2031
• Windows Server 2019 (Server Core installation) prior to build 10.0.17763.4974
• Windows Server 2012 R2 (Server Core installation) prior to build 6.3.9600.21620
• Windows Server 2012 R2 (Server Core installation) prior to build 6.3.9600.21620
• Windows Server 2012 R2 prior to build 6.3.9600.21620
• Windows Server 2012 R2 prior to build 6.3.9600.21620
• Windows Server 2012 (Server Core installation) prior to build 6.2.9200.24523
• Windows Server 2012 (Server Core installation) prior to build 6.2.9200.24523
• Windows Server 2012 prior to build 6.2.9200.24523
• Windows Server 2012 prior to build 6.2.9200.24523
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) prior to build 6.1.7601.26769
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) prior to build 6.1.7601.26769

Remediation

Official Fix & Remediation Guidance

Customers are advised to upgrade to the latest version of the impacted Microsoft Windows Instance(s). Update guidance is provided at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36563.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

Temporary Mitigation & Workarounds

No official mitigation guidance is offered by the vendor. It may be possible to consider blocking outbound NTLM over SMB on Windows 11, to hamper NTLM-relay exploits until the vulnerability is formally patched.

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.

References:

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36563

Category: Sensitive Data Disclosure

Detection

AppCheck has added a plugin to detect the flaw that will run as part of your standard scans.

About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).