Morphisec researchers have uncovered a critical vulnerability in Microsoft Outlook, identified as CVE-2024-38021. This flaw, which has a CVSS score of 8.8, poses a significant security threat, allowing remote attackers to execute arbitrary code on vulnerable systems. The vulnerability is particularly concerning due to the widespread use of Microsoft Outlook across corporate environments.
CVE-2024-38021 is rooted in how Microsoft Outlook handles hyperlink objects within image tags in emails. Specifically, the flaw allows attackers to craft a malicious hyperlink using a composite moniker—a combination of a file moniker and an item moniker. When Outlook processes this link, it triggers a chain of events that can lead to remote code execution (RCE).
This vulnerability is reminiscent of a previous Outlook flaw, CVE-2024-21413, which also exposed users to serious risks, including NTLM credential leaks. While Microsoft attempted to mitigate CVE-2024-21413 by implementing a security flag (BlockMkParseDisplayNameOnCurrentThread) to prevent unsafe parsing, Morphisec discovered that this fix was incomplete. The HrPmonFromUrl method, which handles URLs within image tags, did not set the protective flag, leaving the door open for exploitation.
Morphisec’s findings revealed that despite Microsoft’s patch for CVE-2024-21413, attackers could still exploit a similar vulnerability by embedding composite monikers within image tag URLs. This bypass allows the unsafe MkParseDisplayName function to be invoked, leading to potential RCE and the leaking of local NTLM credentials.
What makes CVE-2024-38021 particularly alarming is its zero-click nature for trusted senders—no user interaction is required beyond simply viewing an email containing a malicious image tag. Once triggered, an attacker can gain control over the system, execute arbitrary commands, and steal sensitive information without the victim’s knowledge. For untrusted senders, one-click user interaction is required, but the risk remains high.
In response to this discovery, Microsoft issued a patch that extends the use of the BlockMkParseDisplayNameOnCurrentThread flag to the HrPmonFromUrl function, aiming to prevent the unsafe parsing of composite monikers within image tags. However, Morphisec highlighted a significant oversight: the patch does not fully address the issue of NTLM credential leakage. A simple file moniker can still expose these credentials, leaving a critical security gap unaddressed.
Given the seriousness of this issue, Morphisec urges organizations to take immediate action by regularly updating their Office applications and implementing robust email security measures. While the latest patch reduces the risk of RCE, the NTLM leak remains a viable attack vector that could be exploited by determined adversaries.
The discovery of CVE-2024-38021 underscores the importance of continuous security vigilance. Organizations must ensure their systems are patched, educate users about the risks associated with opening emails from unknown or suspicious sources, and maintain comprehensive security coverage to protect against known and unknown threats.
References -
Related Posts
