Technical particulars have emerged about two now-patched safety flaws in Microsoft Home windows that may very well be chained by menace actors to realize distant code execution on the Outlook electronic mail service sans any consumer interplay.
“An attacker on the web can chain the vulnerabilities collectively to create a full, zero-click distant code execution (RCE) exploit in opposition to Outlook purchasers,” Akamai safety researcher Ben Barnea, who found the vulnerabilities, stated in a two-part report shared with The Hacker Information.
The safety points, which had been addressed by Microsoft in August and October 2023, respectively, are listed beneath –
- CVE-2023-35384 (CVSS rating: 5.4) – Home windows HTML Platforms Safety Function Bypass Vulnerability
- CVE-2023-36710 (CVSS rating: 7.8) – Home windows Media Basis Core Distant Code Execution Vulnerability
CVE-2023-35384 has been described by Akamai as a bypass for a crucial safety flaw that Microsoft patched in March 2023. Tracked as CVE-2023-23397 (CVSS rating: 9.8), the flaw pertains to a case of privilege escalation that would end result within the theft of NTLM credentials and allow an attacker to conduct a relay assault.
Earlier this month, Microsoft, Proofpoint, and Palo Alto Networks Unit 42 revealed {that a} Russian menace actor often known as APT29 has been actively weaponizing the bug to achieve unauthorized entry to victims’ accounts inside Change servers.
It is value noting that CVE-2023-35384 can be the second patch bypass after CVE-2023-29324, which was additionally found by Barnea and subsequently remediated by Redmond as a part of Could 2023 safety updates.
“We discovered one other bypass to the unique Outlook vulnerability — a bypass that after once more allowed us to coerce the consumer to hook up with an attacker-controlled server and obtain a malicious sound file,” Barnea stated.
CVE-2023-35384, like CVE-2023-29324, is rooted within the parsing of a path by the MapUrlToZone operate that may very well be exploited by sending an electronic mail containing a malicious file or a URL to an Outlook consumer.
“A safety function bypass vulnerability exists when the MSHTML platform fails to validate the proper Safety Zone of requests for particular URLs. This might permit an attacker to trigger a consumer to entry a URL in a much less restricted Web Safety Zone than supposed,” Microsoft famous in its advisory.
In doing so, the vulnerability can’t solely be used to leak NTLM credentials, however will also be chained with the sound parsing flaw (CVE-2023-36710) to obtain a customized sound file that, when autoplayed utilizing Outlook’s reminder sound function, can result in a zero-click code execution on the sufferer machine.
CVE-2023-36710 impacts the Audio Compression Supervisor (ACM) element, a legacy Home windows multimedia framework that is used to handle audio codecs, and is the results of an integer overflow vulnerability that happens when enjoying a WAV file.
“Lastly, we managed to set off the vulnerability utilizing the IMA ADP codec,” Barnea defined. “The file dimension is roughly 1.8 GB. By performing the mathematics restrict operation on the calculation we will conclude that the smallest attainable file dimension with IMA ADP codec is 1 GB.”
To mitigate the dangers, it is really helpful that organizations use microsegmentation to dam outgoing SMB connections to distant public IP addresses. Moreover, it additionally suggested to both disable NTLM, or add customers to the Protected Customers safety group, which prevents the usage of NTLM as an authentication mechanism.
