[German]On February 13, 2024, the remote code execution vulnerability CVE-2024-21378 in Microsoft Outlook was also closed with the security updates. As of March 11, 2024, an in-depth analysis of the vulnerability has now been published, as I saw in a tweet yesterday.
Advertising
Outlook RCE vulnerability CVE-2024-21378
I had already pointed out the vulnerability CVE-2024-21378 in the blog post Microsoft Security Update Summary (February 13, 2024). This is a remote code execution vulnerability in Microsoft Outlook, which was given a CVEv3 score of 8.0, important. Microsoft classified this vulnerability in Outlook as "Exploitation More Likely".
To exploit this vulnerability, an attacker would need to authenticate with LAN access and have a valid logon for an Exchange user. If the attacker meets these requirements, they must trick the user into opening a crafted file. According to Microsoft, the preview window is an attack vector, i.e. the preview of a specially prepared file can trigger the vulnerability.
This vulnerability was then closed in all supported Office versions on February 13, 2024. In the article Microsoft Office Updates (February 13, 2024), I pointed out that the update KB5002543 closes this RCE vulnerability CVE-2024-21378 in the MSI installer versions of Outlook 2016. Microsoft has provided corresponding updates for the click-to-run versions.
More details on CVE-2024-21378
Nicolas Krassas points out in the following tweet that further information on this RCE vulnerability in Microsoft Outlook is now available. Back in 2017, Etienne Stalmans (SensePost, Orange CyberDefense) published an attack method that used VBScript code within Outlook form objects to achieve code execution with access to a mailbox. In response, Microsoft released a patch to mitigate the problem. However, the vulnerable synchronization function of these form objects was never changed. Security researchers at NetSPI took advantage of this to investigate this design for vulnerabilities. As early as 2023, they discovered that Outlook is still vulnerable in this way.
Advertising
After the security researchers informed Microsoft back in 2023, the company provided an update to close the vulnerability in February 2024. On March 11, 2024, the security researchers published more details on the vulnerability and its exploitation in the blog post CVE-2024-21378 — Remote Code Execution in Microsoft Outlook.
The starting point is that forms in Outlook are synchronized via MAPI with the help of IPM.Microsoft.FolderDesign.FormsDescription objects. These objects contain special properties and attachments that are used to "install" the form when it is used on a client for the first time. The security researchers found that they were able to create arbitrary files on the hard disk and install arbitrary registry keys (with default values) under HKEY\_CLASSES\_ROOT (HKCR). These primitives are sufficient to trivially execute remote code execution via Microsoft Outlook.
If you are interested, you can read the details in the security researchers' article linked above. For users and administrators, however, it is sufficient to know that the security updates from February 2024 must be installed in order to be protected against this vulnerability.
Similar articles:
Microsoft Security Update Summary (February 13, 2024)
Microsoft Office Updates (February 13, 2024)
Advertising