Emerging Details on Zero-Click Outlook Remote Code Execution Exploits

December 18, 2023

New insights have been disclosed about two recently patched security vulnerabilities in Microsoft Windows that could be exploited by cybercriminals to perform remote code execution on the Outlook email service without any user action. Akamai security researcher Ben Barnea, who identified these vulnerabilities, stated in a two-part report, "An attacker on the internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients." The vulnerabilities were patched by Microsoft in August and October 2023.

The first vulnerability, CVE-2023-35384, is described by Akamai as a bypass for a critical security flaw that Microsoft rectified in March 2023. The second vulnerability, CVE-2023-23397, is related to privilege escalation that could lead to the theft of NTLM credentials and allow a cybercriminal to carry out a relay attack.

It was recently revealed by Microsoft, Proofpoint, and Palo Alto Networks Unit 42 that APT29, a Russian cyber threat group, has been actively exploiting the bug to gain unauthorized access to victims' accounts within Exchange servers. CVE-2023-35384 is also the second patch bypass after CVE-2023-29324, which was also discovered by Barnea and subsequently fixed by Microsoft as part of May 2023 security updates.

Barnea further stated, "We found another bypass to the original Outlook vulnerability — a bypass that once again allowed us to coerce the client to connect to an attacker-controlled server and download a malicious sound file." Both CVE-2023-35384 and CVE-2023-29324 involve the parsing of a path by the MapUrlToZone function that could be exploited by sending an email with a malicious file or a URL to an Outlook client.

The vulnerabilities could not only be used to leak NTLM credentials but could also be combined with the sound parsing flaw (CVE-2023-36710) to download a custom sound file that, when autoplayed using Outlook's reminder sound feature, can lead to a zero-click code execution on the victim's machine. CVE-2023-36710 affects the Audio Compression Manager (ACM) component, a legacy Windows multimedia framework used to manage audio codecs, and is caused by an integer overflow vulnerability that occurs when playing a WAV file.

To reduce the risks, it is suggested that organizations use microsegmentation to block outgoing SMB connections to remote public IP addresses. It is also recommended to either disable NTLM or add users to the Protected Users security group, which prevents the use of NTLM as an authentication method.

Related News

• Russian APT28 Exploits Outlook Flaw to Target EU NATO Members
• Russian APT28 Hackers Exploit Outlook Flaw to Hijack Exchange Accounts
• Russian APT28 Hackers Breach Critical Networks in France
• Russian Hackers Conducting Widescale Credential-Stealing Attacks, Warns Microsoft
• Zero-Click Windows Vulnerability Allows NTLM Credential Theft

Latest News

• Critical RCE Vulnerability Found in Perforce Helix Core Server by Microsoft
• NKAbuse Malware Exploits NKN Blockchain for Stealthy Operations
• Russian APT29 Hackers Exploiting TeamCity Servers Since September: CISA
• Critical Apache Struts Vulnerability Targeted by Hackers Using Public Proof-of-Concept
• Sophos Backports Critical Vulnerability Fix for EOL Firewall Firmware