Emerging Details on Zero-Click Outlook Remote Code Execution Exploits

December 18, 2023

New insights have been disclosed about two recently patched security vulnerabilities in Microsoft Windows that could be exploited by cybercriminals to perform remote code execution on the Outlook email service without any user action. Akamai security researcher Ben Barnea, who identified these vulnerabilities, stated in a two-part report, "An attacker on the internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients." The vulnerabilities were patched by Microsoft in August and October 2023.

The first vulnerability, CVE-2023-35384, is described by Akamai as a bypass for a critical security flaw that Microsoft rectified in March 2023. The second vulnerability, CVE-2023-23397, is related to privilege escalation that could lead to the theft of NTLM credentials and allow a cybercriminal to carry out a relay attack.

It was recently revealed by Microsoft, Proofpoint, and Palo Alto Networks Unit 42 that APT29, a Russian cyber threat group, has been actively exploiting the bug to gain unauthorized access to victims' accounts within Exchange servers. CVE-2023-35384 is also the second patch bypass after CVE-2023-29324, which was also discovered by Barnea and subsequently fixed by Microsoft as part of May 2023 security updates.

Barnea further stated, "We found another bypass to the original Outlook vulnerability — a bypass that once again allowed us to coerce the client to connect to an attacker-controlled server and download a malicious sound file." Both CVE-2023-35384 and CVE-2023-29324 involve the parsing of a path by the MapUrlToZone function that could be exploited by sending an email with a malicious file or a URL to an Outlook client.

The vulnerabilities could not only be used to leak NTLM credentials but could also be combined with the sound parsing flaw (CVE-2023-36710) to download a custom sound file that, when autoplayed using Outlook's reminder sound feature, can lead to a zero-click code execution on the victim's machine. CVE-2023-36710 affects the Audio Compression Manager (ACM) component, a legacy Windows multimedia framework used to manage audio codecs, and is caused by an integer overflow vulnerability that occurs when playing a WAV file.

To reduce the risks, it is suggested that organizations use microsegmentation to block outgoing SMB connections to remote public IP addresses. It is also recommended to either disable NTLM or add users to the Protected Users security group, which prevents the use of NTLM as an authentication method.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.