Threat Response - Critical Vulnerability in Microsoft Outlook

On Tuesday, February 13th, 2024, Microsoft released a patch for a critical vulnerability in multiple versions of Microsoft Outlook, known as CVE-2024-21413, that can potentially provide a remote unauthenticated attacker with remote code execution [1]. The vulnerability allows an attacker to create a maliciously crafted link which bypasses Microsoft Outlook's security restrictions and can lead to local NTLM credential leakage, and remote code execution when combined with other exploits [2]. The vulnerability received a CVSS score of 9.8 out of 10.

Description

On Tuesday, February 13th, 2024, Microsoft released a number of security patches as part of "Patch Tuesday". Among the security patches is a patch for CVE-2024-21413, an exploit in Microsoft Outlook dubbed "MonikerLink", which allows remote unauthenticated attackers to craft malicious links which bypass Outlook security restrictions [1]. The malicious links make it possible for attackers to extract local NTLM credential information by linking to remote files. Additionally, when combined with vulnerabilities in applications that function as a COM server, such as Microsoft Word, it is possible that CVE-2024-21413 leads to remote code execution on a host [2]. At the time of writing, the complete range of impact for the vulnerability is not known. Given the nature of the vulnerability however, it is likely that other usages of this exploit will be discovered and abused by attackers.

Microsoft has released patches for this vulnerability for relevant products as part of the "Patch Tuesday" cycle of February 2024. Microsoft has also separately released patches for users of Office 2016, which can be download from the FAQ section [1] of the update guide on CVE-2024-21413. The vulnerability has been confirmed by researchers of Check Point to work on the latest versions of Windows 10 and 11 and Microsoft 365 (Office 2021) environments, and is expected to work for other versions of Office too [2].

Impact

We estimate the impact of this vulnerability as HIGH as successful exploitation of the exploit combined with (whether or not already existing) other exploits can provide a remote unauthenticated attacker with access to a device through remote code execution. By itself, the exploit can lead to the external leakage of local NTLM credentials, which could be relayed by attackers to authenticate or from which domain passwords could be derived for follow-up attack attempts. Given the nature of the exploit, it is likely that other exploits will be discovered that can be combined with this exploit to increase the impact.

Risk

We estimate the risk of the vulnerability as HIGH as successful exploitation of the exploit is trivial, and due to the prevalence of Microsoft Outlook on systems. However, there have been no active signs of exploitation as of the time of writing.

Mitigation

To mitigate this vulnerability, we urge readers to apply the patches released by Microsoft as part of the "Patch Tuesday" cycle, and the separately provided patches for Microsoft Office 2016 [1] when applicable.

What should you do?

Follow the mitigation steps listed above to mitigate the vulnerability.

What will Northwave do?

Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure.

We will monitor any developments regarding this vulnerability. As soon as new critical information about this threat arises, we will reach out to you. You can call us by phone or send us an email if you would like additional information.

E-mail: soc@northwave.nl 
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000

Disclaimer applies, see below.

Sources

[1]: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-21413

[2]: https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-microsoft-outlook-and-the-big-picture/

Disclaimer