CVE-2021-38110 – CVE-2021-38110 is an out-of-bounds write vulner... (How to Fix)

Q: What is the severity of CVE-2021-38110?

CVE-2021-38110 has a CVSS score of 7.8 (HIGH). CVE-2021-38110 is an out-of-bounds write vulnerability in Corel WordPerfect's Word97Import200.dll that allows arbitrary code execution when parsing malicious DOC files. Users of Corel WordPerfect 2020 who open untrusted documents are affected. Exploitation requires user interaction through opening a crafted file.

📋 TL;DR

CVE-2021-38110 is an out-of-bounds write vulnerability in Corel WordPerfect's Word97Import200.dll that allows arbitrary code execution when parsing malicious DOC files. Users of Corel WordPerfect 2020 who open untrusted documents are affected. Exploitation requires user interaction through opening a crafted file.

💻 Affected Systems

Products:

Corel WordPerfect 2020

Versions: 20.0.0.200

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with WordPerfect 2020 installed and when users open DOC files using the vulnerable component.

📦 What is this software?

Wordperfect 2020 by Corel

View all CVEs affecting Wordperfect 2020 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the victim's machine in the context of the current user, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Malware installation or data exfiltration when users open malicious DOC files from phishing emails or untrusted sources.

🟢

If Mitigated

Limited impact with proper security controls preventing execution of malicious payloads or containing the compromise.

🌐 Internet-Facing: LOW - Exploitation requires local file access and user interaction, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Risk exists within organizations where users might open malicious documents from internal or external sources.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file) but no authentication. No public exploit code identified in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to latest version of WordPerfect 2020 (specific version not specified in references)

Vendor Advisory: https://www.fortinet.com/blog/threat-research/fortinet-security-researcher-discovers-multiple-vulnerabilities-across-multiple-corel-products

Restart Required: Yes

Instructions:

1. Open Corel WordPerfect 2020. 2. Navigate to Help > Check for Updates. 3. Follow prompts to download and install available updates. 4. Restart WordPerfect and system if required.

🔧 Temporary Workarounds

Disable Word97Import200.dll

windows

Temporarily disable or restrict access to the vulnerable DLL to prevent exploitation

takeown /f "C:\Program Files\Corel\WordPerfect Office 2020\Programs\Word97Import200.dll"
icacls "C:\Program Files\Corel\WordPerfect Office 2020\Programs\Word97Import200.dll" /deny Everyone:(R,X)

Application Control Policy

windows

Use Windows AppLocker or similar to block execution of Word97Import200.dll

New-AppLockerPolicy -RuleType Path -Action Deny -Path "C:\Program Files\Corel\WordPerfect Office 2020\Programs\Word97Import200.dll" -User Everyone

🧯 If You Can't Patch

Implement application whitelisting to prevent unauthorized DLL execution
Educate users to never open DOC files from untrusted sources and disable automatic document opening

🔍 How to Verify

Check if Vulnerable:

Check WordPerfect version in Help > About WordPerfect. If version is 20.0.0.200, system is vulnerable.

Check Version:

wmic product where "name like 'WordPerfect%'" get version

Verify Fix Applied:

Verify WordPerfect version after update shows a version higher than 20.0.0.200 and check that Word97Import200.dll file properties show updated version.

📡 Detection & Monitoring

Log Indicators:

Windows Application logs showing WordPerfect crashes with exception codes like 0xC0000005 (ACCESS_VIOLATION)
Process creation events for WordPerfect spawning unexpected child processes

Network Indicators:

Unusual outbound connections from WordPerfect process to external IPs

SIEM Query:

source="Windows Security" EventCode=4688 ProcessName="*WordPerfect*" | stats count by ProcessCommandLine

📊 Metadata

CVE ID: CVE-2021-38110

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: October 1, 2021

Last Updated: November 21, 2024

🔗 References

https://www.fortiguard.com/zeroday/FG-VD-21-036 Third Party Advisory
https://www.fortinet.com/blog/threat-research/fortinet-security-researcher-discovers-multiple-vulnerabilities-across-multiple-corel-products Third Party Advisory
https://www.fortiguard.com/zeroday/FG-VD-21-036 Third Party Advisory
https://www.fortinet.com/blog/threat-research/fortinet-security-researcher-discovers-multiple-vulnerabilities-across-multiple-corel-products Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38110, you might also want to check these: