Technical particulars have emerged about two now-patched safety flaws in Microsoft Home windows that could possibly be chained by risk actors to attain distant code execution on the Outlook e-mail service sans any consumer interplay.
“An attacker on the web can chain the vulnerabilities collectively to create a full, zero-click distant code execution (RCE) exploit in opposition to Outlook purchasers,” Akamai safety researcher Ben Barnea, who found the vulnerabilities, mentioned in a two-part report shared with The Hacker Information.
The safety points, which have been addressed by Microsoft in August and October 2023, respectively, are listed beneath –
- CVE-2023-35384 (CVSS rating: 5.4) – Home windows HTML Platforms Safety Function Bypass Vulnerability
- CVE-2023-36710 (CVSS rating: 7.8) – Home windows Media Basis Core Distant Code Execution Vulnerability
CVE-2023-35384 has been described by Akamai as a bypass for a crucial safety flaw that Microsoft patched in March 2023. Tracked as CVE-2023-23397 (CVSS rating: 9.8), the flaw pertains to a case of privilege escalation that would outcome within the theft of NTLM credentials and allow an attacker to conduct a relay assault.
Earlier this month, Microsoft, Proofpoint, and Palo Alto Networks Unit 42 revealed {that a} Russian risk actor often known as APT29 has been actively weaponizing the bug to achieve unauthorized entry to victims’ accounts inside Trade servers.
It is value noting that CVE-2023-35384 can also be the second patch bypass after CVE-2023-29324, which was additionally found by Barnea and subsequently remediated by Redmond as a part of Could 2023 safety updates.
“We discovered one other bypass to the unique Outlook vulnerability — a bypass that when once more allowed us to coerce the shopper to hook up with an attacker-controlled server and obtain a malicious sound file,” Barnea mentioned.
CVE-2023-35384, like CVE-2023-29324, is rooted within the parsing of a path by the MapUrlToZone perform that could possibly be exploited by sending an e-mail containing a malicious file or a URL to an Outlook shopper.
“A safety characteristic bypass vulnerability exists when the MSHTML platform fails to validate the right Safety Zone of requests for particular URLs. This might enable an attacker to trigger a consumer to entry a URL in a much less restricted Web Safety Zone than meant,” Microsoft famous in its advisory.
In doing so, the vulnerability cannot solely be used to leak NTLM credentials, however will also be chained with the sound parsing flaw (CVE-2023-36710) to obtain a customized sound file that, when autoplayed utilizing Outlook’s reminder sound characteristic, can result in a zero-click code execution on the sufferer machine.
CVE-2023-36710 impacts the Audio Compression Supervisor (ACM) element, a legacy Home windows multimedia framework that is used to handle audio codecs, and is the results of an integer overflow vulnerability that happens when taking part in a WAV file.
“Lastly, we managed to set off the vulnerability utilizing the IMA ADP codec,” Barnea defined. “The file dimension is roughly 1.8 GB. By performing the mathematics restrict operation on the calculation we are able to conclude that the smallest doable file dimension with IMA ADP codec is 1 GB.”
To mitigate the dangers, it is advisable that organizations use microsegmentation to dam outgoing SMB connections to distant public IP addresses. Moreover, it additionally suggested to both disable NTLM, or add customers to the Protected Customers safety group, which prevents using NTLM as an authentication mechanism.