[German]As of November 8, 2022, Microsoft has released security updates for its Office Online servers to close vulnerabilities in Word and Excel. According to my information, a vulnerability exists (Server-Side Request Forgery, SSRF, to RCE, Remote Code Execution) that Microsoft does not want to eliminate.
Advertising
Office Online Server is the next generation of the Office Web Apps Server. Office Online Server provides browser-based versions of Word, PowerPoint, Excel and OneNote. A single Office Online Server farm can support users accessing Office files through SharePoint Server, Exchange Server, shared folders and Web sites. The product can integrate with SharePoint to provide web-based access to these documents within SharePoint.
Security updates Nov. 2022
II had also listed the two security updates for Microsoft Office Online Server in the blog post Patchday: Microsoft Office Updates (November 8, 2022):
- Office Online Server: Description of the security update for Office Online Server: November 8, 2022 (KB5002276)
- Office Web Apps Server 2013: Description of the security update for Office Web Apps Server 2013: November 8, 2022 (KB5002261)
Both updates address the following vulnerabilities:
- CVE-2022-41060: Microsoft Word Information Disclosure Vulnerability
- CVE-2022-41061: Microsoft Word Remote Code Execution Vulnerability
- CVE-2022-41063: Microsoft Excel Remote Code Execution Vulnerability
- CVE-2022-41103: Microsoft Word Information Disclosure Vulnerability
- CVE-2022-41106: Microsoft Excel Remote Code Execution Vulnerability
However, not all known vulnerabilities in Microsoft Office Online Server are fixed.
Unfixed vulnerability
I already came across the following tweet from Will Dormann some time ago, which points out the issue. It is about an RCE vulnerability that is not supposed to be fixed.
Advertising
Security experts at MDSec have discovered a server-side request forgery vulnerability, which can be exploited under the right conditions to achieve remote code execution on Office Online Server itself, during a routine penetration test.
The /op/view.aspx endpoint in Office Online Server is intended to be used to retrieve Office documents from remote resources and display them in the browser. The endpoint is affected by classic server-side request forgery, where a connection is initiated by the application by specifying an HTTP(s) or UNC location. All Office Online Server versions up to and including 16.0.10338.20039 are affected.
The team reported the vulnerability in Microsoft Office Online Server to the Microsoft MSRC, which deemed the remote code execution (RCE) critical. The Microsoft Security Response Center looked into the matter and replied that they would not fix this vulnerability. The security researchers at MDSec have since made the details of the vulnerability public in the blog post Microsoft Office Online Server Remote Code Execution.
Advertising