Introduction
In recent cybersecurity developments, the discovery of CVE-2024-21413 has raised significant concerns within the digital security community. This critical vulnerability, found within Microsoft Outlook, underscores the ever-present threat landscape that organizations face in safeguarding their information systems against sophisticated cyber threats.
Presenting CVE-2024-21413
CVE-2024-21413, also known as the #MonikerLink bug, is a severe security flaw with a CVSS score of 9.8, indicating its critical severity. Identified by Check Point Research, this vulnerability enables attackers to execute remote code and potentially gain unauthorized access to a victim's system by exploiting specific hyperlink processing behaviors within Outlook
Affected Versions
- From Microsoft Office 2016 before 16.0.0 to this
- From Microsoft Office LTSC 2021 before 16.0.1 to this
- From Microsoft 365 Apps for Enterprise before 16.0.1 to this
- From Microsoft Office 2019 before 19.0.0 to this
How it works?
Initially, the attacker crafts an email containing a malicious link formatted as:
<h1><a href="file:///$url!meeting">Meeting - click here.</a></h1> |
When the victim clicks on the link, it exploits the MkParseDisplayName() API vulnerability in Microsoft Outlook, bypassing Protected View and not requiring any SMB server setup by the attacker. The exploit uses a moniker link that directs to a maliciously crafted .rtf file hosted on the attacker's server. This file is automatically opened by Microsoft Word running in the background as a COM server, without displaying the normal Word user interface. This process can lead to remote code execution on the victim's machine by exploiting vulnerabilities in the way Word parses the .rtf file. If the exploit is successful, it can lead to the leaking of local NTLM credentials and allow the attacker to execute arbitrary code on the victim's computer without their knowledge. This attack bypasses typical security measures like Protected View, making it a particularly stealthy vector for gaining control over the victim's machine.
Detection
To detect and defend against the exploitation of CVE-2024-21413, the following methods can be utilized with KQL and Yara. For KQL, identifying vulnerable endpoints is key. This can be done with the following query, which identifies devices susceptible to CVE-2024-21413 by checking for software vulnerabilities, and then cross-references these devices with process and network events related to Microsoft Outlook's executable, specifically filtering for connections to public IPs over port 445, indicating a potential exploitation attempt:
let VulnerableEndpoints = DeviceTvmSoftwareVulnerabilities | where CveId == "CVE-2024-21413" | project DeviceId; DeviceProcessEvents | where FileName == "OUTLOOK.EXE" | join DeviceNetworkEvents on DeviceId | where DeviceId has_any(VulnerableEndpoints) | where RemotePort == 445 | where RemoteIPType == "Public" | where ActionType1 == "ConnectionSuccess" | project Timestamp, DeviceName, AccountUpn, ActionType1, RemoteIP |
Credit: Steven Lim
For Yara, the detection focuses on identifying emails that contain evidence of an attempt to exploit CVE-2024-21413 in Microsoft Outlook, as detailed below:
rule EXPL_CVE_2024_21413_Microsoft_Outlook_RCE_Feb24 { meta: description = "Detects emails that contain signs of a method to exploit CVE-2024-21413 in Microsoft Outlook" author = "X__Junior, Florian Roth" reference = "https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability/" date = "2024-02-17" modified = "2024-02-19" score = 75 strings: $a1 = "Subject: " $a2 = "Received: " $xr1 = /file:///\\[^"']{6,600}.(docx|txt|pdf|xlsx|pptx|odt|etc|jpg|png|gif|bmp|tiff|svg|mp4|avi|mov|wmv|flv|mkv|mp3|wav|aac|flac|ogg|wma|exe|msi|bat|cmd|ps1|zip|rar|7z|targz|iso|dll|sys|ini|cfg|reg|html|css|java|py|c|cpp|db|sql|mdb|accdb|sqlite|eml|pst|ost|mbox|htm|php|asp|jsp|xml|ttf|otf|woff|woff2|rtf|chm|hta|js|lnk|vbe|vbs|wsf|xls|xlsm|xltm|xlt|doc|docm|dot|dotm)!/ condition: filesize < 1000KB and all of ($a*) and 1 of ($xr*) } |
Credit: Florian Roth
This approach leverages specific patterns and behaviors associated with the exploitation of CVE-2024-21413, enabling organizations to proactively monitor and mitigate potential threats stemming from this vulnerability.
Remediation
Microsoft responded to the discovery of CVE-2024-21413 by releasing a critical security update on February 2024 Patch Tuesday. Users and organizations are strongly urged to apply this patch immediately to protect against potential exploits leveraging this vulnerability. The update aims to address and mitigate the underlying issue, preventing attackers from exploiting the flaw. https://learn.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates#february-13-2024
How Senthorus protects its customers
Most cybersecurity experts work in a 9-to-5 environment. Well, the bad news is that threat actors don’t. Critical vulnerabilities like CVE-2024-21413 can arise at any time, and not only during business hours. This is where Senthorus jumps in the breach, taking the lead in providing its customers with cyber defense made in Switzerland through full 24/7 monitoring of their infrastructure. On top of this, Senthorus’s registered customers benefit from Incident Response and Digital Forensics services, in direct collaboration with our analysts, available all year around, 24/7/365.
Summary
CVE-2024-21413 highlights the critical importance of maintaining up-to-date systems and the need for vigilant cybersecurity practices. By promptly applying available patches, educating users, and implementing advanced defensive measures, organizations can significantly reduce their exposure to this and similar vulnerabilities. The collective effort of the cybersecurity community in identifying, reporting, and mitigating such threats is crucial in maintaining the integrity and security of digital infrastructures worldwide.
References
- https://www.cve.org/CVERecord?id=CVE-2024-21413
- https://learn.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates#february-13-2024
- https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability
- https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-microsoft-outlook-and-the-big-picture/
- https://github.com/Neo23x0/signature-base/blob/master/yara/expl_outlook_cve_2024_21413.yar
- https://www.linkedin.com/pulse/defending-against-cve-2024-21413-outlook-monikerlink-bug-steven-lim-wesac
- https://github.com/Neo23x0/signature-base/blob/master/yara/expl_outlook_cve_2024_21413.yar