Vulnerabilities > CVE-2018-8310 - Unspecified vulnerability in Microsoft Office and Word

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
microsoft
nessus
NVD
Published: 2018-07-11
Updated: 2020-08-24

Summary

A tampering vulnerability exists when Microsoft Outlook does not properly handle specific attachment types when rendering HTML emails, aka "Microsoft Office Tampering Vulnerability." This affects Microsoft Word, Microsoft Office.

Vulnerable Configurations

Part Description Count
Application
Microsoft
6

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS18_JUL_WORD.NASL
    descriptionThe Microsoft Word Products are missing a security update. It is, therefore, affected by the following vulnerability : - A tampering vulnerability exists when Microsoft Outlook does not properly handle specific attachment types when rendering HTML emails. An attacker could exploit the vulnerability by sending a specially crafted email and attachment to a victim, or by hosting a malicious .eml file on a web server. The attacker who successfully exploited the vulnerability could then embed untrusted TrueType fonts in the body of an email. This behavior could be combined with other exploits to further compromise a user
    last seen2020-06-01
    modified2020-06-02
    plugin id110994
    published2018-07-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110994
    titleSecurity Updates for Microsoft Word Products (July 2018)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#
include("compat.inc");

if (description)
{
  script_id(110994);
  script_version("1.6");
  script_cvs_date("Date: 2019/11/04");

  script_cve_id("CVE-2018-8310");
  script_bugtraq_id(104615);
  script_xref(name:"MSKB", value:"4022218");
  script_xref(name:"MSKB", value:"4022224");
  script_xref(name:"MSKB", value:"4022202");
  script_xref(name:"MSFT", value:"MS18-4022218");
  script_xref(name:"MSFT", value:"MS18-4022224");
  script_xref(name:"MSFT", value:"MS18-4022202");

  script_name(english:"Security Updates for Microsoft Word Products (July 2018)");
  script_summary(english:"Checks for Microsoft security updates.");

  script_set_attribute(attribute:"synopsis", value:
"The Microsoft Word Products are missing a security update.");
  script_set_attribute(attribute:"description", value:
"The Microsoft Word Products are missing a security update.
It is, therefore, affected by the following vulnerability :

  - A tampering vulnerability exists when Microsoft Outlook
    does not properly handle specific attachment types when
    rendering HTML emails. An attacker could exploit the
    vulnerability by sending a specially crafted email and
    attachment to a victim, or by hosting a malicious .eml
    file on a web server. The attacker who successfully
    exploited the vulnerability could then embed untrusted
    TrueType fonts in the body of an email. This behavior
    could be combined with other exploits to further
    compromise a user's system. The security update
    addresses the vulnerability by correcting how Microsoft
    Outlook handles attachments. (CVE-2018-8310)");
  # https://support.microsoft.com/en-us/help/4022218/description-of-the-security-update-for-word-2016-july-10-2018
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?38466f10");
  # https://support.microsoft.com/en-us/help/4022224/description-of-the-security-update-for-word-2013-july-10-2018
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d5386f78");
  # https://support.microsoft.com/en-us/help/4022202/description-of-the-security-update-for-word-2010-july-10-2018
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c3c4a554");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released the following security updates to address this issue:  
  -KB4022218
  -KB4022224
  -KB4022202");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8310");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/07/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:word");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("office_installed.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}
include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_reg_query.inc");
include("misc_func.inc");
include("install_func.inc");

global_var vuln;

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = "MS18-07";
kbs = make_list(
  '4022202', # Word 2010 SP2
  '4022224', # Word 2013 SP1
  '4022218'  # Word 2016
);

if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);

get_kb_item_or_exit("SMB/Registry/Enumerated", exit_code:1);

vuln = FALSE;
port = kb_smb_transport();

######################################################################
# Word 2010, 2013, 2016
######################################################################
function perform_word_checks()
{
  local_var word_checks, kb16;

  kb16 = "4022218";
  word_checks = make_array(
    "14.0", make_array("sp", 2, "version", "14.0.7211.5000", "kb", "4022202"),
    "15.0", make_array("sp", 1, "version", "15.0.5049.1000", "kb", "4022224"),
    "16.0", make_nested_list(
      make_array("sp", 0, "version", "16.0.4717.1000", "channel", "MSI", "kb", kb16),
      make_array("sp", 0, "version", "16.0.9126.2259", "channel", "Deferred", "channel_version", "1803", "kb", kb16),
      make_array("sp", 0, "version", "16.0.8431.2280", "channel", "Deferred", "kb", kb16),
      make_array("sp", 0, "version", "16.0.9126.2259", "channel", "First Release for Deferred", "kb", kb16),
      make_array("sp", 0, "version", "16.0.10228.20104", "channel", "Current", "kb", kb16)
    )
  );
  if (hotfix_check_office_product(product:"Word", checks:word_checks, bulletin:bulletin))
    vuln = TRUE;
}

######################################################################
# MAIN
######################################################################
perform_word_checks();

if (vuln)
{
  replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_warning();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS18_JUL_OFFICE.NASL
    descriptionThe Microsoft Office Products are missing security updates. They are, therefore, affected by a vulnerability : - A tampering vulnerability exists when Microsoft Outlook does not properly handle specific attachment types when rendering HTML emails. An attacker could exploit the vulnerability by sending a specially crafted email and attachment to a victim, or by hosting a malicious .eml file on a web server. (CVE-2018-8310)
    last seen2020-06-01
    modified2020-06-02
    plugin id110992
    published2018-07-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110992
    titleSecurity Updates for Microsoft Office Products (July 2018)
    code
    #
# (C) Tenable Network Security, Inc.
#

# The descriptive text and package checks in this plugin were  
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#

include("compat.inc");

if (description)
{
  script_id(110992);
  script_version("1.5");
  script_cvs_date("Date: 2019/11/04");

  script_cve_id("CVE-2018-8310");
  script_xref(name:"MSKB", value:"4022200");
  script_xref(name:"MSFT", value:"MS18-4022200");

  script_name(english:"Security Updates for Microsoft Office Products (July 2018)");
  script_summary(english:"Checks for Microsoft security updates.");

  script_set_attribute(attribute:"synopsis", value:
"The Microsoft Office Products are affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Microsoft Office Products are missing security updates.
They are, therefore, affected by a vulnerability :

  - A tampering vulnerability exists when Microsoft Outlook
    does not properly handle specific attachment types when
    rendering HTML emails. An attacker could exploit the
    vulnerability by sending a specially crafted email and
    attachment to a victim, or by hosting a malicious .eml
    file on a web server. (CVE-2018-8310)");
  # https://support.microsoft.com/en-us/help/4022200/description-of-the-security-update-for-office-2010-july-10-2018
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0eabd4e7");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released the following security updates to address this issue:  
  -KB4022200");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8310");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/07/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("office_installed.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_reg_query.inc");
include("misc_func.inc");
include("install_func.inc");

global_var vuln;

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = "MS18-07";
kbs = make_list(
  '4022200'  # Office 2010 SP2
);

if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);

get_kb_item_or_exit("SMB/Registry/Enumerated", exit_code:1);

vuln = FALSE;
port = kb_smb_transport();

######################################################################
# Office 2010, 2016
######################################################################
function perform_office_checks()
{
  local_var office_vers, office_sp, common_path, path, prod, file, kb, c2r_file, infopath_prod, msi_path, c2r_path, checks;
  office_vers = hotfix_check_office_version();

  ####################################################################
  # Office 2010 SP2 Checks
  # wwlibcxm.dll only exists if KB2428677 is installed
  ####################################################################
  if (office_vers["14.0"])
  {
    office_sp = get_kb_item("SMB/Office/2010/SP");
    if (!isnull(office_sp) && office_sp == 2)
    {
      prod = "Microsoft Office 2010 SP2";

      path = hotfix_get_officeprogramfilesdir(officever:"14.0");

      if (hotfix_check_fversion(file:"wwlibcxm.dll", version:"14.0.7211.5000", path:path, kb:"4022200", bulletin:bulletin, product:prod) == HCF_OLDER)
        vuln = TRUE;
    }
  }
}

######################################################################
# MAIN
######################################################################
perform_office_checks();

if (vuln)
{
  replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_warning();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

References