Fixing Microsoft Office Vulnerabilities (CVE-2017-11882, CVE-2018-0802) Using SanerNow - Active Exploitation delivering HAWKBALL Backdoor


    A campaign targeting government organizations in Central Asia was discovered delivering a backdoor named HAWKBALL. The campaign uses well-known Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802 to infect its targets with the malware.

    Microsoft issued a warning about an active malware campaign using emails in European languages. The emails contain RTF files that carry the CVE-2017-11882 exploit and allows attackers to automatically run malicious code without user interaction.


    CVSS v3.0 Severity and Metrics:
    Base Score: 7.8 HIGH

    CVSS v2.0 Severity and Metrics:
    Base Score: 9.3 HIGH


    Affected software:

    • Microsoft Office 2007
    • Microsoft Office 2010
    • Microsoft Office 2013
    • Microsoft Office 2016



    We can use SanerNow platform to apply this critical vulnerability quickly across the organization as shown in the below diagrams.

    NOTE: This vulnerability is been actively exploited by the attacker to break into the system, hence consider applying the solution immediately.


    SanerNow: Vulnerability detection and patching of Microsoft Office,

    1. Login to SanerNow platform

    2. Switch to the account/site specific view and Go to 'VM tool' 

    3. If your product is vulnerable, Saner lists the CVE’s (CVE-2017-11882 and CVE-2018-0802) in 'Top Vulnerabilities' or 'Recently Discovered Vulnerabilities' as shown in the below diagram



    4. Search for this vulnerability in VM tool. If you are affected, apply the patch through PM -> Missing Patches.



    5. Select 'Groups/Devices' in the 'Asset Source' section and click 'Apply'.

    6. Select the appropriate patches from the 'Asset' section as shown in the below diagram. Please select the required KB’s to be remediated.

    7. Select 'Apply Selected Patches' at the rightmost corner. This will prompt for 'Creating Patching Task'. Fill in 'Task Name' and 'Remediation Schedule' as per your preference and click on 'Apply Selected Patches' as shown below,



    8. Remediation job will be created, which will fix the vulnerabilities by applying applicable patch to Microsoft Office.

    9. Once remediation is done, the Saner agent automatically scans again and upload the result. The status of the job can be checked in PM --> Status.


    Was this article helpful?
    0 out of 0 found this helpful