CVE-2021-46839 The HW_KEYMASTER module has a vulnerability of missing bounds check on length. Successful exploitation may cause malicious construction of data and out-of-bounds access.

The issue occurs as a result of insufficient validation of input data, which may lead to a crash and potentially allow a remote attacker to take control of the application and execute arbitrary code on the user’s system. This issue has been verified on following applications: Microsoft Office 2010 SP2, Word Viewer, Microsoft Excel Viewer, PowerPoint Viewer, Microsoft Outlook 2010 SP2, Microsoft Access 2010 SP2, Microsoft Publisher Viewer, Microsoft Visio Viewer, Microsoft PowerPoint Viewer. The issue has also been verified on following operating systems: Microsoft Windows 7, Microsoft Windows 2003, Microsoft Windows 2008, Microsoft Windows 2003 R2, Microsoft Windows Vista, Microsoft Windows 2000, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 6, Ubuntu 16.04.

Microsoft Office 2010 SP2

Microsoft Office 2010 SP2 is a freeware and proprietary software client application for Microsoft Windows. It includes Microsoft Word and Microsoft Excel, as well as tools such as Outlook, Access, Publisher, and Visio.
The vulnerability allows a remote user to take control of the affected system with an exploit which results in code execution. The vulnerability was identified by Trend Micro’s Zero Day Initiative (ZDI) team which disclosed it to Microsoft on May 24th, 2017.

Vulnerability overview

Microsoft Office 2010 is experiencing a vulnerability that may allow a remote attacker to take control of the application and execute arbitrary code on the user’s system. The issue has been verified on following applications: Microsoft Office 2010 SP2, Word Viewer, Microsoft Excel Viewer, PowerPoint Viewer, Microsoft Outlook 2010 SP2, Microsoft Access 2010 SP2, Microsoft Publisher Viewer, Microsoft Visio Viewer, Microsoft PowerPoint Viewer.

Vulnerability Scenarios

An attacker may exploit this vulnerability by convincing a user to open an Office document that contains a malicious macro.

Risk assessment

The risk of the vulnerability is determined as high.

Microsoft Office

2010 CVE-2021-46839
Microsoft Office 2010 is prone to a remote code execution vulnerability as a result of an insufficient verification of input data, which may lead to a crash and potentially allow a remote attacker to execute arbitrary code on the user’s system. This issue has been verified on following applications: Microsoft Office 2010 SP2, Word Viewer, Microsoft Excel Viewer, PowerPoint Viewer, Microsoft Outlook 2010 SP2, Microsoft Access 2010 SP2, Microsoft Publisher Viewer, Microsoft Visio Viewer, Microsoft PowerPoint Viewer. The issue has also been verified on following operating systems: Microsoft Windows 7, Microsoft Windows 2003, Microsoft Windows 2008, Microsoft Windows 2003 R2, Microsoft Windows Vista, Microsoft Windows 2000.

Timeline

Published on: 10/14/2022 16:15:00 UTC
Last modified on: 10/18/2022 14:50:00 UTC

References

• https://device.harmonyos.com/en/docs/security/update/security-bulletins-phones-202210-0000001416095697
• https://consumer.huawei.com/en/support/bulletin/2022/10/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46839