CVE-2017-11826
Published: 13 October 2017
Summary
CVE-2017-11826 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Microsoft Word. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2017-11826 is a memory corruption vulnerability, tracked under CWE-119, that affects multiple Microsoft Office and SharePoint components including Office 2010, SharePoint Server 2010 and Enterprise Server 2010, Office Web Apps Server 2010 and 2013, Word 2007 through 2016, Word Viewer, Word Automation Services, and Office Online Server. The flaw arises when the software fails to properly handle objects in memory, enabling remote code execution.
An attacker can exploit the issue by supplying a specially crafted document that triggers the memory corruption when opened by the victim. The CVSS vector (AV:L/AC:L/PR:N/UI:R) indicates local attack vector with no privileges required and only user interaction needed, resulting in high impact to confidentiality, integrity, and availability once code execution is achieved.
Microsoft's Security Response Center advisory and related vendor bulletins address mitigation through available security updates for the affected products. Public analyses, including those from McAfee and 0patch, confirm the vulnerability was observed being exploited in the wild as a zero-day prior to patching.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-3426
Vulnerability details
Microsoft Office 2010, SharePoint Enterprise Server 2010, SharePoint Server 2010, Web Applications, Office Web Apps Server 2010 and 2013, Word Viewer, Word 2007, 2010, 2013 and 2016, Word Automation Services, and Office Online Server allow remote code execution when the…
more
software fails to properly handle objects in memory.
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying vendor security updates to eliminate the memory-handling flaw before a crafted document can be exploited.
Mandates memory-protection techniques (DEP, ASLR, etc.) that block exploitation of the exact class of memory corruption (CWE-119) described in the CVE.
Deploys malicious-code detection mechanisms that can identify and block the specially crafted documents used to trigger the RCE.