CVE-2019-16337 – This vulnerability in Hancom Office's hncbd90 c... (How to Fix)

Q: What is the severity of CVE-2019-16337?

CVE-2019-16337 has a CVSS score of 7.8 (HIGH). This vulnerability in Hancom Office's hncbd90 component allows attackers to trigger a use-after-free memory corruption by opening a specially crafted .docx file. This could potentially lead to arbitrary code execution with the privileges of the user opening the document. All users of Hancom Office 9.6.1.9403 who open untrusted documents are affected.

📋 TL;DR

This vulnerability in Hancom Office's hncbd90 component allows attackers to trigger a use-after-free memory corruption by opening a specially crafted .docx file. This could potentially lead to arbitrary code execution with the privileges of the user opening the document. All users of Hancom Office 9.6.1.9403 who open untrusted documents are affected.

💻 Affected Systems

Products:

Hancom Office

Versions: 9.6.1.9403

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific version mentioned; other versions may be vulnerable but not confirmed.

📦 What is this software?

Hancom Office Neo by Hancom

View all CVEs affecting Hancom Office Neo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment when a user opens a malicious document.

🟠

Likely Case

Application crash or denial of service, with potential for limited code execution depending on exploit sophistication.

🟢

If Mitigated

No impact if documents are only opened from trusted sources or if the vulnerability is patched.

🌐 Internet-Facing: MEDIUM - Attackers could deliver malicious documents via email or web downloads, but requires user interaction to open.

🏢 Internal Only: MEDIUM - Similar risk internally if users open untrusted documents from network shares or email.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction to open a malicious document. Use-after-free vulnerabilities can be challenging to exploit reliably.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to latest version via Hancom update mechanism

Vendor Advisory: http://help.hancom.com/update_en_multilang/details/HOfficeNEO_update.htm

Restart Required: Yes

Instructions:

1. Open Hancom Office. 2. Go to Help menu. 3. Select Check for Updates. 4. Follow prompts to download and install latest version. 5. Restart Hancom Office applications.

🔧 Temporary Workarounds

Disable automatic document opening

all

Configure Hancom Office to not automatically open documents from untrusted sources

Use alternative office software

all

Temporarily use Microsoft Office or LibreOffice for opening untrusted .docx files

🧯 If You Can't Patch

Implement application whitelisting to block execution of Hancom Office
Use email filtering to block .docx attachments from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check Hancom Office version in Help > About. If version is exactly 9.6.1.9403, system is vulnerable.

Check Version:

On Windows: Check Help > About in Hancom Office GUI. No direct command-line version check available.

Verify Fix Applied:

After updating, verify version is no longer 9.6.1.9403 and matches latest version from vendor advisory.

📡 Detection & Monitoring

Log Indicators:

Application crashes of Hancom Office with memory access violations
Unexpected process termination of hwp.exe or related processes

Network Indicators:

Unusual network connections originating from Hancom Office processes after document opening

SIEM Query:

EventID=1000 OR EventID=1001 AND ProcessName="hwp.exe" AND ExceptionCode="0xc0000005"

📊 Metadata

CVE ID: CVE-2019-16337

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: March 19, 2020

Last Updated: November 21, 2024

🔗 References

http://help.hancom.com/update_en_multilang/details/HOfficeNEO_update.htm Release Notes,Vendor Advisory
https://starlabs.sg/advisories/ Exploit,Third Party Advisory
http://help.hancom.com/update_en_multilang/details/HOfficeNEO_update.htm Release Notes,Vendor Advisory
https://starlabs.sg/advisories/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-16337, you might also want to check these: