/CVE-2023-36884-Checker

Script to check for CVE-2023-36884 hardening

Primary LanguagePowerShellMIT LicenseMIT

CVE-2023-36884-Checker

Script to check for CVE-2023-36884 hardening https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884

Goal

This scripts checks if Microsoft hardening recommendations are properly applied.

Microsoft says https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 that:

Add the following application names to this registry key as values of type REG_DWORD with data 1.:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

    Excel.exe
    Graph.exe
    MSAccess.exe
    MSPub.exe
    Powerpnt.exe
    Visio.exe
    WinProj.exe
    WinWord.exe
    Wordpad.exe

How to use

Simply execute the cve-2023-36884-checker.ps1 code and you will see the results as shown below.

To run the script once downloaded:

powershell -ExecutionPolicy Bypass .\cve-2023-36884-checker.ps1

/!\ This script does NOT require admin rights /!\

Note : you can also use this excellent script which has more options if needed https://github.com/myusefulrepo/Tips/blob/master/CVE-2023-36884-Check%26Mitigation.ps1 (thanks to Olivier @Rapidhands)

Apply or remove mitigations for CVE-2023-36884

You can also execute mitigate-cve-2023-36884.ps1 to apply mitigations provided by Microsoft, or remove-mitigations-cve-2023-36884.ps1 to remove those mitigations if needed later.

# To apply mitigations
powershell -ExecutionPolicy Bypass .\mitigate-cve-2023-36884.ps1
# To remove mitigations
powershell -ExecutionPolicy Bypass .\remove-mitigations-cve-2023-36884.ps1

/!\ These scripts REQUIRE admin rights /!\

Please note that these scripts change your registry values and thus might break your system. If so, that's your own responsibility.

Results of the CVE-2023-36884 checker

Here are some examples of the results when running cve-2023-36884-checker.ps1.

If mitigation is totally enforced

DEBUG:OK, Excel.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, Graph.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, MSAccess.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, MSPub.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, PowerPnt.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, Visio.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, WinProj.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, WinWord.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, Wordpad.exe has CVE-2023-36884 mitigation enabled
META:hardening-CVE-2023-36884|OK

If mitigation is not enforced at all

DEBUG:KO, Excel.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, Graph.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, MSAccess.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, MSPub.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, PowerPnt.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, Visio.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, WinProj.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, WinWord.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, Wordpad.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
META:hardening-CVE-2023-36884|KO

If mitigation is partially enforced

DEBUG:KO, Excel.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, Graph.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, MSAccess.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, MSPub.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, PowerPnt.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, Visio.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, WinProj.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:OK, WinWord.exe has CVE-2023-36884 mitigation enabled
DEBUG:KO, Wordpad.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
META:hardening-CVE-2023-36884|KO

License

MIT