Vulnerabilities > CVE-2019-0953 - Unspecified vulnerability in Microsoft products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
microsoft
nessus

Summary

A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory, aka 'Microsoft Word Remote Code Execution Vulnerability'.

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_MAY_OFFICE_WEB.NASL
    descriptionThe Microsoft Office Online Server installation on the remote host is missing a security update. It is, therefore, affected by the following vulnerability: - A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user. (CVE-2019-0953)
    last seen2020-06-01
    modified2020-06-02
    plugin id130261
    published2019-10-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130261
    titleSecurity Updates for Microsoft Office Online Server Apps (May 2019)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(130261);
      script_version("1.2");
      script_cvs_date("Date: 2019/10/30 13:24:47");
    
      script_cve_id("CVE-2019-0953");
      script_bugtraq_id(108211);
      script_xref(name:"MSKB", value:"4462169");
      script_xref(name:"MSFT", value:"MS19-4462169");
    
      script_name(english:"Security Updates for Microsoft Office Online Server Apps (May 2019)");
      script_summary(english:"Checks for Microsoft security updates.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The Microsoft Office Online Server installation on the remote host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "The Microsoft Office Online Server installation on the
    remote host is missing a security update. It is, therefore,
    affected by the following vulnerability:
    
      - A remote code execution vulnerability exists in
        Microsoft Word software when it fails to properly handle
        objects in memory. An attacker who successfully
        exploited the vulnerability could use a specially
        crafted file to perform actions in the security context
        of the current user. For example, the file could then
        take actions on behalf of the logged-on user with the
        same permissions as the current user.  (CVE-2019-0953)");
      # https://support.microsoft.com/en-us/help/4462169/description-of-the-security-update-for-office-online-server-may-14
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4bde1dbb");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released KB4462169 to address this issue.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0953");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/25");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_web_apps");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("office_installed.nasl","microsoft_owa_installed.nbin","microsoft_office_compatibility_pack_installed.nbin","smb_hotfixes.nasl","ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include('audit.inc');
    include('smb_func.inc');
    include('smb_hotfixes.inc');
    include('smb_hotfixes_fcheck.inc');
    include('smb_reg_query.inc');
    include('misc_func.inc');
    include('install_func.inc');
    
    get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');
    
    bulletin = 'MS19-05';
    kbs = make_list('4462169');
    if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit('SMB/Registry/Enumerated', exit_code:1);
    
    port = kb_smb_transport();
    
    # Get installs of Office Web Apps
    owa_installs = get_installs(app_name:'Microsoft Office Web Apps');
    
    if (!empty_or_null(owa_installs))
    {
      foreach owa_install (owa_installs[1])
      {
        if (owa_install['Product'] == '2016')
        {
          oos_path = owa_install['path'];
          oos_sp = owa_install['SP'];
        }
      }
    }
    vuln = FALSE;
    
    ####################################################################
    # Office Online Server
    ####################################################################
    if (oos_path && (!isnull(oos_sp) && oos_sp == '0'))
    {
      path = hotfix_append_path(path:oos_path, value:"ExcelServicesEcs\bin");
      if (hotfix_check_fversion(file:'xlsrv.dll', version:'16.0.10344.20001', min_version:'16.0.0.0', path:path, kb:'4462169', product:'Office Online Server') == HCF_OLDER)
      vuln = TRUE;
    }
    
    if (vuln)
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_MAY_WORD.NASL
    descriptionThe Microsoft Word Products are missing a security update. It is, therefore, affected by a remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user.
    last seen2020-06-01
    modified2020-06-02
    plugin id125072
    published2019-05-14
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125072
    titleSecurity Updates for Microsoft Word Products (May 2019)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(125072);
      script_version("1.4");
      script_cvs_date("Date: 2019/10/30 13:24:47");
    
      script_cve_id("CVE-2019-0953");
      script_xref(name:"MSKB", value:"4464536");
      script_xref(name:"MSFT", value:"MS19-4464536");
    
      script_name(english:"Security Updates for Microsoft Word Products (May 2019)");
      script_summary(english:"Checks for Microsoft security updates.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The Microsoft Word Products are missing a security update.");
      script_set_attribute(attribute:"description", value:
    "The Microsoft Word Products are missing a security update. It is, therefore, affected by a remote code execution
    vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who
    successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context
    of the current user. For example, the file could then take actions on behalf of the logged-on user with the same
    permissions as the current user.");
      # https://support.microsoft.com/en-us/help/4464536/description-of-the-security-update-for-word-2016-may-14-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?77c5f6dd");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released KB4464536 to address this issue.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0953");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:word");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_dependencies("office_installed.nasl","smb_hotfixes.nasl","ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include('audit.inc');
    include('smb_func.inc');
    include('smb_hotfixes.inc');
    include('smb_hotfixes_fcheck.inc');
    include('smb_reg_query.inc');
    include('install_func.inc');
    
    get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');
    
    bulletin = 'MS19-05';
    kbs = make_list('4464536');
    
    if (get_kb_item('Host/patch_management_checks'))
      hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit('SMB/Registry/Enumerated', exit_code:1);
    
    port = kb_smb_transport();
    
    checks = make_array(
      '16.0', make_nested_list(make_array('sp', 0, 'version', '16.0.4849.1000', 'channel', 'MSI', 'kb', '4464536'))
    );
    
    if (hotfix_check_office_product(product:'Word', checks:checks, bulletin:bulletin))
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOS_MS19_MAY_OFFICE.NASL
    descriptionThe Microsoft Office application installed on the remote macOS or Mac OS X host is missing a security update. It is, therefore, affected by a remote code execution vulnerability in the Microsoft Word software due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted file, to execute arbitrary commands.
    last seen2020-06-01
    modified2020-06-02
    plugin id125165
    published2019-05-16
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125165
    titleSecurity Update for Microsoft Office (May 2019) (macOS)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(125165);
      script_version("1.2");
      script_cvs_date("Date: 2019/10/30 13:24:46");
    
      script_cve_id("CVE-2019-0953");
    
      script_name(english:"Security Update for Microsoft Office (May 2019) (macOS)");
      script_summary(english:"Checks the version of Microsoft Office.");
    
      script_set_attribute(attribute:"synopsis", value:
    "An application installed on the remote macOS or Mac OS X host is affected by a remote code execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The Microsoft Office application installed on the remote macOS or Mac OS X host is missing a security update. It is,
    therefore, affected by a remote code execution vulnerability in the Microsoft Word software due to improper handling of
    objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially
    crafted file, to execute arbitrary commands.
    ");
      # https://docs.microsoft.com/en-us/officeupdates/release-notes-office-2016-mac#may-2019-release
      script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?6914a7b5");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Microsoft Office for Mac.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0953");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/16");
    
      script_set_attribute(attribute:"plugin_type",value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:excel");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:word");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:powerpoint");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:outlook");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:onenote");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("macosx_office_installed.nbin");
      script_require_keys("Host/MacOSX/Version");
      script_require_ports(
        "installed_sw/Microsoft Word",
        "installed_sw/Microsoft Excel",
        "installed_sw/Microsoft PowerPoint",
        "installed_sw/Microsoft OneNote",
        "installed_sw/Microsoft Outlook"
      );
    
      exit(0);
    }
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("install_func.inc");
    include("vcf.inc");
    
    os = get_kb_item_or_exit("Host/MacOSX/Version");
    
    apps = make_list(
      "Microsoft Word",
      "Microsoft Excel",
      "Microsoft PowerPoint",
      "Microsoft OneNote",
      "Microsoft Outlook"
    );
    
    report = '';
    
    #2016
    min_ver_16 = '16';
    fix_ver_16 = '16.16.10';
    fix_disp_16 = '16.16.10 (19051200)';
    
    #2019
    min_ver_19 = '16.17.0';
    fix_ver_19 = '16.25';
    fix_disp_19 = '16.25 (19051201)';
    
    foreach app (apps)
    {
      installs = get_installs(app_name:app);
      if (isnull(installs[1]))
        continue;
    
      foreach install (installs[1])
      {
        version = install['version'];
    
        if (ver_compare(ver:version, minver:min_ver_19, fix:fix_ver_19, strict:FALSE) < 0)
        {
          app_label = app + ' for Mac 2019';
          report +=
            '\n\n  Product           : ' + app_label +
            '\n  Installed version : ' + version +
            '\n  Fixed version     : ' + fix_disp_19;
        }
        else if (ver_compare(ver:version, minver:min_ver_16, fix:fix_ver_16, strict:FALSE) < 0)
        {
          app_label = app + ' for Mac 2016';
          report +=
            '\n\n  Product           : ' + app_label +
            '\n  Installed version : ' + version +
            '\n  Fixed version     : ' + fix_disp_16;
        }
      }
    }
    if (empty(report))
      audit(AUDIT_HOST_NOT, "affected");
    
    if (os =~ "^Mac OS X 10\.[0-9](\.|$)")
      report += '\n  Note              : Update will require Mac OS X 10.10.0 or later.\n';
    
    security_report_v4(severity:SECURITY_HOLE, port:0, extra:report);