CVE-2023-32548

Vulnerability

WPS Office version 10.8.0.6186 contains an OS command injection vulnerability (CWE-78). The vulnerability exists in the update mechanism, where the product communicates with an update server. An attacker can exploit this by conducting a man-in-the-middle attack or by modifying the registry or configuration files to redirect the update server to a malicious server [1][2].

Exploitation

An attacker must be able to perform a man-in-the-middle attack on the network traffic between the vulnerable WPS Office installation and its legitimate update server, or have write access to the registry or configuration files to change the server address. Once the connection is redirected to a malicious server, the attacker sends a specially crafted response that triggers OS command injection [1]. No user interaction beyond running the update mechanism is required.

Impact

Successful exploitation allows the attacker to execute arbitrary OS commands on the system where WPS Office is installed, with the privileges of the user running the application. This can lead to full compromise of confidentiality, integrity, and availability [1].

Mitigation

No patch is available for WPS Office version 10.8.0.6186 as it is an end-of-life product. The vendor recommends users to stop using "WPS Office" and switch to "WPS Office2", which is not affected by this vulnerability [2].