Script to check for CVE-2023-36884 hardening https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
This is an accompanying git to DarkRelay's detailed writeup on this vulnerability, you can find more details in this cybersecurity blog.
This scripts checks if Microsoft hardening recommendations are properly applied.
Microsoft says https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884 that:
Add the following application names to this registry key as values of type REG_DWORD with data 1.:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION
Excel.exe
Graph.exe
MSAccess.exe
MSPub.exe
Powerpnt.exe
Visio.exe
WinProj.exe
WinWord.exe
Wordpad.exe
Simply execute the cve-2023-36884-checker.ps1 code and you will see the results as shown below.
To run the script once downloaded:
powershell -ExecutionPolicy Bypass .\cve-2023-36884-checker.ps1
/!\ This script does NOT require admin rights /!\
Note : you can also use this excellent script which has more options if needed https://github.com/myusefulrepo/Tips/blob/master/CVE-2023-36884-Check%26Mitigation.ps1 (thanks to Olivier @Rapidhands)
You can also execute mitigate-cve-2023-36884.ps1 to apply mitigations provided by Microsoft, or remove-mitigations-cve-2023-36884.ps1 to remove those mitigations if needed later.
# To apply mitigations
powershell -ExecutionPolicy Bypass .\mitigate-cve-2023-36884.ps1
# To remove mitigations
powershell -ExecutionPolicy Bypass .\remove-mitigations-cve-2023-36884.ps1
/!\ These scripts REQUIRE admin rights /!\
Please note that these scripts change your registry values and thus might break your system. If so, that's your own responsibility.
Here are some examples of the results when running cve-2023-36884-checker.ps1.
DEBUG:OK, Excel.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, Graph.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, MSAccess.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, MSPub.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, PowerPnt.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, Visio.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, WinProj.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, WinWord.exe has CVE-2023-36884 mitigation enabled
DEBUG:OK, Wordpad.exe has CVE-2023-36884 mitigation enabled
META:hardening-CVE-2023-36884|OK
DEBUG:KO, Excel.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, Graph.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, MSAccess.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, MSPub.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, PowerPnt.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, Visio.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, WinProj.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, WinWord.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, Wordpad.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
META:hardening-CVE-2023-36884|KO
DEBUG:KO, Excel.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, Graph.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, MSAccess.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, MSPub.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, PowerPnt.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, Visio.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:KO, WinProj.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
DEBUG:OK, WinWord.exe has CVE-2023-36884 mitigation enabled
DEBUG:KO, Wordpad.exe FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION should be set to 1
META:hardening-CVE-2023-36884|KO
MIT