- 14 Tem 2024
- 392
- 10
- 355
Microsoft Outlook Remote Code Execution Vulnerability CVE-2024-38021
Security Vulnerability
Released: Jul 9, 2024
Last updated: Jul 10, 2024
CVSS:3.1 8.8 / 7.7
Impact: Remote Code Execution
Max Severity: Important
Weakness: CWE-20: Improper Input Validation
INFO:
MS Outlook Zero-Click Vulnerability {CVE-2024-38021} which allow remote attackers to execute arbitrary code on vulnerable systems. This vulnerability is reminiscent as previous Outlook flaw {CVE-2024-21413} and exposes users to similar risks, including a serious NTLM credential leak that remains unresolved.
CVE-2024-38021 vulnerability rooted in the way Microsoft Outlook handles hyperlink objects, specifically within image tags in emails.
Attackers has the ability to exploit vulnerability by embedding composite monikers within image tag URLs. As the result, this allows
unsafe MkParseDisplayName functionto be invoked, and leads to potential remote code execution and local NTLM credential leak.
"This vulnerability which can be triggered simply by opening an email containing a malicious image tag No user interaction is required beyond viewing the email. Once triggered, the attacker can gain control over the system, execute arbitrary commands, and steal sensitive information, all without the victim’s knowledge."
CVE-2024-38021 PATCH
"To patch CVE-2024-38021, Microsoft used the same approach as with the previous vulnerability by utilizing the BlockMkParseDisplayNameOnCurrentThread flag. This time, they updated the HrPmonFromUrl function to set the flag to true. By doing this, any composite moniker passed within an image tag URL will be blocked from invoking the vulnerable MkParseDisplayName function, thereby preventing the exploit."
- Microsoft issued a patch that extends the use of the BlockMkParseDisplayNameOnCurrentThread flag to the HrPmonFromUrl function.
NTLM Credential Leak - Unpatched
MORPHISEC discovered that passing a simple file moniker still results in the local NTLM credentials being leaked, indicating that the patch does not fully address all potential security risks associated with moniker handling.
Microsoft's official response is: "We recommend customers follow security best-practices and to not trust content shared from unknown sources. We’ve documented (Block or unblock automatic picture downloads in email messages - Microsoft Support) that Outlook, by default, blocks automatic image downloads from the Internet to safeguard users from potentially harmful attachments or linked documents."
Even this patch fixes the RCE vulnerability, but NTLM credentials leakage is still presents and threat actors can still exploit this vulnerability and capture and reuse NTLM hashes, potentially leading to further network compromise or lateral movement within an organization’s infrastructure.
REF:
Security Update Guide - Microsoft Security Response Center
Technical Analysis: CVE-2024-38021
Another remote code exploit!
