Vulnerabilities > CVE-2018-8310 - Unspecified vulnerability in Microsoft Office and Word

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
microsoft
nessus

Summary

A tampering vulnerability exists when Microsoft Outlook does not properly handle specific attachment types when rendering HTML emails, aka "Microsoft Office Tampering Vulnerability." This affects Microsoft Word, Microsoft Office.

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS18_JUL_WORD.NASL
    descriptionThe Microsoft Word Products are missing a security update. It is, therefore, affected by the following vulnerability : - A tampering vulnerability exists when Microsoft Outlook does not properly handle specific attachment types when rendering HTML emails. An attacker could exploit the vulnerability by sending a specially crafted email and attachment to a victim, or by hosting a malicious .eml file on a web server. The attacker who successfully exploited the vulnerability could then embed untrusted TrueType fonts in the body of an email. This behavior could be combined with other exploits to further compromise a user
    last seen2020-06-01
    modified2020-06-02
    plugin id110994
    published2018-07-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110994
    titleSecurity Updates for Microsoft Word Products (July 2018)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(110994);
      script_version("1.6");
      script_cvs_date("Date: 2019/11/04");
    
      script_cve_id("CVE-2018-8310");
      script_bugtraq_id(104615);
      script_xref(name:"MSKB", value:"4022218");
      script_xref(name:"MSKB", value:"4022224");
      script_xref(name:"MSKB", value:"4022202");
      script_xref(name:"MSFT", value:"MS18-4022218");
      script_xref(name:"MSFT", value:"MS18-4022224");
      script_xref(name:"MSFT", value:"MS18-4022202");
    
      script_name(english:"Security Updates for Microsoft Word Products (July 2018)");
      script_summary(english:"Checks for Microsoft security updates.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The Microsoft Word Products are missing a security update.");
      script_set_attribute(attribute:"description", value:
    "The Microsoft Word Products are missing a security update.
    It is, therefore, affected by the following vulnerability :
    
      - A tampering vulnerability exists when Microsoft Outlook
        does not properly handle specific attachment types when
        rendering HTML emails. An attacker could exploit the
        vulnerability by sending a specially crafted email and
        attachment to a victim, or by hosting a malicious .eml
        file on a web server. The attacker who successfully
        exploited the vulnerability could then embed untrusted
        TrueType fonts in the body of an email. This behavior
        could be combined with other exploits to further
        compromise a user's system. The security update
        addresses the vulnerability by correcting how Microsoft
        Outlook handles attachments. (CVE-2018-8310)");
      # https://support.microsoft.com/en-us/help/4022218/description-of-the-security-update-for-word-2016-july-10-2018
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?38466f10");
      # https://support.microsoft.com/en-us/help/4022224/description-of-the-security-update-for-word-2013-july-10-2018
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d5386f78");
      # https://support.microsoft.com/en-us/help/4022202/description-of-the-security-update-for-word-2010-july-10-2018
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c3c4a554");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released the following security updates to address this issue:  
      -KB4022218
      -KB4022224
      -KB4022202");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8310");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/07/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/10");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:word");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("office_installed.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_reg_query.inc");
    include("misc_func.inc");
    include("install_func.inc");
    
    global_var vuln;
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS18-07";
    kbs = make_list(
      '4022202', # Word 2010 SP2
      '4022224', # Word 2013 SP1
      '4022218'  # Word 2016
    );
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated", exit_code:1);
    
    vuln = FALSE;
    port = kb_smb_transport();
    
    ######################################################################
    # Word 2010, 2013, 2016
    ######################################################################
    function perform_word_checks()
    {
      local_var word_checks, kb16;
    
      kb16 = "4022218";
      word_checks = make_array(
        "14.0", make_array("sp", 2, "version", "14.0.7211.5000", "kb", "4022202"),
        "15.0", make_array("sp", 1, "version", "15.0.5049.1000", "kb", "4022224"),
        "16.0", make_nested_list(
          make_array("sp", 0, "version", "16.0.4717.1000", "channel", "MSI", "kb", kb16),
          make_array("sp", 0, "version", "16.0.9126.2259", "channel", "Deferred", "channel_version", "1803", "kb", kb16),
          make_array("sp", 0, "version", "16.0.8431.2280", "channel", "Deferred", "kb", kb16),
          make_array("sp", 0, "version", "16.0.9126.2259", "channel", "First Release for Deferred", "kb", kb16),
          make_array("sp", 0, "version", "16.0.10228.20104", "channel", "Current", "kb", kb16)
        )
      );
      if (hotfix_check_office_product(product:"Word", checks:word_checks, bulletin:bulletin))
        vuln = TRUE;
    }
    
    ######################################################################
    # MAIN
    ######################################################################
    perform_word_checks();
    
    if (vuln)
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_warning();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS18_JUL_OFFICE.NASL
    descriptionThe Microsoft Office Products are missing security updates. They are, therefore, affected by a vulnerability : - A tampering vulnerability exists when Microsoft Outlook does not properly handle specific attachment types when rendering HTML emails. An attacker could exploit the vulnerability by sending a specially crafted email and attachment to a victim, or by hosting a malicious .eml file on a web server. (CVE-2018-8310)
    last seen2020-06-01
    modified2020-06-02
    plugin id110992
    published2018-07-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110992
    titleSecurity Updates for Microsoft Office Products (July 2018)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110992);
      script_version("1.5");
      script_cvs_date("Date: 2019/11/04");
    
      script_cve_id("CVE-2018-8310");
      script_xref(name:"MSKB", value:"4022200");
      script_xref(name:"MSFT", value:"MS18-4022200");
    
      script_name(english:"Security Updates for Microsoft Office Products (July 2018)");
      script_summary(english:"Checks for Microsoft security updates.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The Microsoft Office Products are affected by a vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The Microsoft Office Products are missing security updates.
    They are, therefore, affected by a vulnerability :
    
      - A tampering vulnerability exists when Microsoft Outlook
        does not properly handle specific attachment types when
        rendering HTML emails. An attacker could exploit the
        vulnerability by sending a specially crafted email and
        attachment to a victim, or by hosting a malicious .eml
        file on a web server. (CVE-2018-8310)");
      # https://support.microsoft.com/en-us/help/4022200/description-of-the-security-update-for-office-2010-july-10-2018
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0eabd4e7");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released the following security updates to address this issue:  
      -KB4022200");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8310");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/07/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/10");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("office_installed.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_reg_query.inc");
    include("misc_func.inc");
    include("install_func.inc");
    
    global_var vuln;
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS18-07";
    kbs = make_list(
      '4022200'  # Office 2010 SP2
    );
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated", exit_code:1);
    
    vuln = FALSE;
    port = kb_smb_transport();
    
    ######################################################################
    # Office 2010, 2016
    ######################################################################
    function perform_office_checks()
    {
      local_var office_vers, office_sp, common_path, path, prod, file, kb, c2r_file, infopath_prod, msi_path, c2r_path, checks;
      office_vers = hotfix_check_office_version();
    
      ####################################################################
      # Office 2010 SP2 Checks
      # wwlibcxm.dll only exists if KB2428677 is installed
      ####################################################################
      if (office_vers["14.0"])
      {
        office_sp = get_kb_item("SMB/Office/2010/SP");
        if (!isnull(office_sp) && office_sp == 2)
        {
          prod = "Microsoft Office 2010 SP2";
    
          path = hotfix_get_officeprogramfilesdir(officever:"14.0");
    
          if (hotfix_check_fversion(file:"wwlibcxm.dll", version:"14.0.7211.5000", path:path, kb:"4022200", bulletin:bulletin, product:prod) == HCF_OLDER)
            vuln = TRUE;
        }
      }
    }
    
    ######################################################################
    # MAIN
    ######################################################################
    perform_office_checks();
    
    if (vuln)
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_warning();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }