Complex facts have emerged about two now-patched security flaws in Microsoft Windows that could be chained by risk actors to achieve distant code execution on the Outlook email assistance sans any user interaction.
“An attacker on the internet can chain the vulnerabilities together to develop a total, zero-simply click distant code execution (RCE) exploit in opposition to Outlook clients,” Akamai security researcher Ben Barnea, who found the vulnerabilities, mentioned in a two-part report shared with The Hacker Information.
The security issues, which ended up dealt with by Microsoft in August and Oct 2023, respectively, are detailed down below –
- CVE-2023-35384 (CVSS rating: 5.4) – Windows HTML Platforms Security Characteristic Bypass Vulnerability
- CVE-2023-36710 (CVSS rating: 7.8) – Windows Media Basis Main Distant Code Execution Vulnerability
CVE-2023-35384 has been described by Akamai as a bypass for a critical security flaw that Microsoft patched in March 2023. Tracked as CVE-2023-23397 (CVSS rating: 9.8), the flaw relates to a circumstance of privilege escalation that could outcome in the theft of NTLM credentials and enable an attacker to perform a relay attack.
Previously this thirty day period, Microsoft, Proofpoint, and Palo Alto Networks Unit 42 revealed that a Russian menace actor known as APT29 has been actively weaponizing the bug to gain unauthorized access to victims’ accounts within just Exchange servers.
It can be well worth noting that CVE-2023-35384 is also the next patch bypass right after CVE-2023-29324, which was also found by Barnea and subsequently remediated by Redmond as aspect of May 2023 security updates.
“We discovered another bypass to the authentic Outlook vulnerability — a bypass that at the time all over again authorized us to coerce the client to hook up to an attacker-controlled server and down load a malicious seem file,” Barnea said.
CVE-2023-35384, like CVE-2023-29324, is rooted in the parsing of a route by the MapUrlToZone functionality that could be exploited by sending an email made up of a destructive file or a URL to an Outlook consumer.
“A security aspect bypass vulnerability exists when the MSHTML system fails to validate the right Security Zone of requests for certain URLs. This could allow for an attacker to cause a person to obtain a URL in a much less limited Internet Security Zone than intended,” Microsoft observed in its advisory.
In accomplishing so, the vulnerability can not only be used to leak NTLM credentials, but can also be chained with the sound parsing flaw (CVE-2023-36710) to download a personalized seem file that, when autoplayed working with Outlook’s reminder audio characteristic, can lead to a zero-click code execution on the victim device.
CVE-2023-36710 impacts the Audio Compression Supervisor (ACM) component, a legacy Windows multimedia framework which is applied to control audio codecs, and is the result of an integer overflow vulnerability that takes place when participating in a WAV file.
“Eventually, we managed to bring about the vulnerability using the IMA ADP codec,” Barnea described. “The file dimensions is close to 1.8 GB. By executing the math restrict operation on the calculation we can conclude that the smallest doable file size with IMA ADP codec is 1 GB.”
To mitigate the challenges, it can be advisable that organizations use microsegmentation to block outgoing SMB connections to remote general public IP addresses. Moreover, it also suggested to either disable NTLM, or insert users to the Secured People security team, which prevents the use of NTLM as an authentication mechanism.
Uncovered this posting interesting? Stick to us on Twitter and LinkedIn to go through a lot more special articles we submit.
Some parts of this article are sourced from:
thehackernews.com