<# .SYNOPSIS CVE Detection - CVE-2024-21413 .DESCRIPTION This script checks whether the Microsoft Outlook is installed and then checks whether the February 2024 security update has been installed patching for CVE-2024-21413. .NOTES 2024-03-01: 2024-02-15: Fix incorrect target versions for some M365 channels. 2024-02-15: Fail early if we can't match to a valid M365 apps version. Correct target versions for Office 2016, 2019 and 2021. 2024-02-14: Fix incorrect M365 version build upper limit. 2024-02-13: Initial version .LINK Blog post: https://homotechsual.dev/2024/02/13/CVE-Monitoring-NinjaOne/ #> $IsC2R = Test-Path 'HKLM:\SOFTWARE\Microsoft\Office\ClickToRun' if ($IsC2R -contains $true) { # Get the installed Office Version $OfficeVersion = [version]( Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration' | Select-Object -ExpandProperty VersionToReport ) # Get the installed Office Product IDs $OfficeProductIds = ( Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration' | Select-Object -ExpandProperty ProductReleaseIds ) } else { Write-Error 'No Click-to-Run Office installation detected. This script only works with Click-to-Run Office installations.' Exit 1 } $IsO365 = $OfficeProductIds -like '*O365*' $M365AppsChannels = @( @{ ID = 'Current' GUID = '492350f6-3a01-4f97-b9c0-c7c6ddf67d60' Name = 'Current' 17231 = @{ PatchedVersion = [version]'16.0.17231.20236' } }, @{ ID = 'FirstReleaseCurrent' GUID = '64256afe-f5d9-4f86-8936-8840a6a4f5be' Name = 'Current (Preview)' 17328 = @{ PatchedVersion = [version]'16.0.17328.20068' } }, @{ ID = 'MonthlyEnterprise' GUID = '55336b82-a18d-4dd6-b5f6-9e5095c314a6' Name = 'Monthly Enterprise' 17126 = @{ PatchedVersion = [version]'16.0.17126.20190' } 17029 = @{ PatchedVersion = [version]'16.0.17029.20178' } }, @{ ID = 'Deferred' GUID = '7ffbc6bf-bc32-4f92-8982-f9dd17fd3114' Name = 'Semi-Annual Enterprise' 15601 = @{ PatchedVersion = [version]'16.0.15601.20870' } 16130 = @{ PatchedVersion = [version]'16.0.16130.20916' } 16731 = @{ PatchedVersion = [version]'16.0.16731.20550' } }, @{ ID = 'FirstReleaseDeferred' GUID = 'b8f9b850-328d-4355-9145-c59439a0c4cf' Name = 'Semi-Annual Enterprise (Preview)' 16731 = @{ PatchedVersion = [version]'16.0.16731.20550' } }, @{ ID = 'InsiderFast' GUID = '5440fd1f-7ecb-4221-8110-145efaa6372f' Name = 'Beta' 17404 = @{ PatchedVersion = [version]'16.0.17404.20000' } } ) if ($IsO365) { Write-Output 'Detected M365 Apps installation.' # Check the Office GPO settings for the update channel. $OfficeUpdateChannelGPO = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Office\16.0\Common\OfficeUpdate' -ErrorAction 'SilentlyContinue' | Select-Object -ExpandProperty UpdateBranch -ErrorAction 'SilentlyContinue') if ($OfficeUpdateChannelGPO) { Write-Output 'Office is configured to use a GPO update channel.' foreach ($Channel in $M365AppsChannels) { if ($OfficeUpdateChannelGPO -eq $Channel.ID) { $OfficeChannel = $Channel } } } else { $C2RConfigurationPath = 'HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration' Write-Output 'Office is not configured to use a GPO update channel.' # Get the UpdateUrl if set $OfficeUpdateURL = [System.Uri](Get-ItemProperty -Path $C2RConfigurationPath -ErrorAction 'SilentlyContinue' | Select-Object -ExpandProperty UpdateURL -ErrorAction 'SilentlyContinue') # Get the UnmanagedUpdateUrl if set $OfficeUnmanagedUpdateURL = [System.Uri](Get-ItemProperty -Path $C2RConfigurationPath -ErrorAction 'SilentlyContinue' | Select-Object -ExpandProperty UnmanagedUpdateURL -ErrorAction 'SilentlyContinue') # Get the Office Update CDN URL $OfficeUpdateChannelCDNURL = [System.Uri](Get-ItemProperty -Path $C2RConfigurationPath -ErrorAction 'SilentlyContinue' | Select-Object -ExpandProperty CDNBaseUrl -ErrorAction 'SilentlyContinue') # Get just the channel GUID if ($OfficeUpdateURL.IsAbsoluteUri) { $OfficeUpdateGUID = $OfficeUpdateURL.Segments[2] } elseif ($OfficeUnmanagedUpdateURL.IsAbsoluteUri) { $OfficeUpdateGUID = $OfficeUnmanagedUpdateURL.Segments[2] } elseif ($OfficeUpdateChannelCDNURL.IsAbsoluteUri) { $OfficeUpdateGUID = $OfficeUpdateChannelCDNURL.Segments[2] } else { Write-Error 'Unable to determine Office update channel URL.' Exit 1 } # Define the Office Update Channels foreach ($Channel in $M365AppsChannels) { if ($OfficeUpdateGUID -eq $Channel.GUID) { $OfficeChannel = $Channel } } } if (-not $OfficeChannel) { Write-Error 'Unable to determine Office update channel.' Exit 1 } else { Write-Output ("{0} found using the {1} update channel. `r`nChannel ID: {2}. `r`nTarget Version: {3}. `r`nDetected Version: {4}" -f 'Microsoft 365 Apps', $OfficeChannel.Name, $OfficeChannel.ID, $OfficeChannel[$OfficeVersion.Build].PatchedVersion, $OfficeVersion) } } # Catch installations on builds older than supported if ( $IsO365 ) { if ($OfficeChannel[$OfficeVersion.Build].PatchedVersion ) { Write-Output 'Target version detected, continuing with script' } else { Write-Output 'No value for Targeted version, install is probably on an old build, marking as vunerable' Write-Warning 'This version of Office is vulnerable.' $Vulnerable = $true } } if ( $OfficeVersion.Major -eq '16' -and (!$Vulnerable) ) { if ( ( $OfficeVersion.Build -ge 7571 ) -and ( $OfficeVersion.Build -le 17404 ) -and $IsO365 ) { # Handle Microsoft 365 Apps if ($OfficeVersion -lt $OfficeChannel[$OfficeVersion.Build].PatchedVersion) { $Vulnerable = $true } } elseif ( ( $OfficeVersion.Build -ge 10356) -and ( $OfficeVersion.Build -le 10407 ) -and ( $OfficeProductIds -like '*2019Volume*' ) -and ( $OfficeProductIds -like '*2019Volume*' ) ) { # Handle VL Office 2019 if ( ( $OfficeVersion.Build -lt 10407 ) -and ( $OfficeVersion.Revision -lt 20032 ) ) { Write-Output ("{0} found. `r`nTarget Version: {1}. `r`nDetected Version: {2}" -f 'Office 2019 VL', [Version]'16.0.10407.20023', $OfficeVersion) $Vulnerable = $true } } elseif ( ( $OfficeVersion.Build -ge 12527 ) -and ( $OfficeVersion.Build -le 17231 ) -and ( $OfficeProductIds -like '*Retail*' ) ) { # Handle Office 2021 Retail, Office 2019 Retail and Office 2016 Retail if ( ( $OfficeVersion.Build -lt 16130 ) -and ( $OfficeVersion.Revision -lt 20236 ) ) { Write-Output ("{0} found. `r`nTarget Version: {1}. `r`nDetected Version: {2}" -f 'Office 2021, 2019 or 2016 Retail', [Version]'16.0.1.20306', $OfficeVersion) $Vulnerable = $true } } elseif ( ( $OfficeVersion.Build -eq 14332 ) -and ( $OfficeProductIds -like '*2021Volume*' ) ) { # Handle VL Office LTSC 2021 if ( ( $OfficeVersion.Build -ne 14332 ) -and ( $OfficeVersion.Revision -lt 20637 ) ) { Write-Output ("{0} found. `r`nTarget Version: {1}. `r`nDetected Version: {2}" -f 'Office LTSC 2021', [Version]'16.0.14332.20637', $OfficeVersion) $Vulnerable = $true } } } if ($Vulnerable) { Write-Warning 'This version of Office is vulnerable to CVE-2024-21413.' Ninja-Property-Set CVE202421413 1 } else { Write-Output 'This version of Office is not vulnerable to CVE-2024-21413.' Ninja-Property-Set CVE202421413 0 }