CVE-2024-21413: Microsoft Outlook Preview Pane RCE Vulnerability

Date: 20/2/2024 | Prepared by: Joel D'Souza, Vulnerability Security Analyst

Purpose 

The purpose of this bulletin is to address the recently disclosed CRITICAL-risk vulnerability present in the desktop version of Microsoft Outlook.

As this vulnerability allows potential attackers to perform Remote Code Execution (RCE), the Triskele Labs team advises that all organisations using affected versions of Microsoft Outlook should follow the remediation steps outlined in the subsequent sections. This vulnerability is being tracked as CVE-2024-21413. 

On 13 February 2024, the Microsoft Security Response Center (MSRC) released a vulnerability disclosure as part of their Patch Tuesday program which detailed a vulnerability in several versions of Outlook Desktop App that could enable an attacker to bypass the Office Protected View and open files in Editing Mode as if a user had manually agreed to trust the file.

This is a zero-click vulnerability that requires no user interaction to be exploited. The vulnerability was discovered by Haifei Li of Check Point Research and referred to as #MonikerLink. 

On 18 February 2024, the Australian Cyber Security Centre (ACSC) released a vulnerability disclosure focused on CVE-2024-21413, with the recommendation that all organisations should review their device inventory for affected versions and patch the affected devices as a priority.  

Details 

The vulnerability impacts the following versions of the Microsoft Outlook desktop client. 

• Microsoft Office 2016 (64-bit edition) Build 16.0.5435.1001 
• Microsoft Office 2016 (64-bit edition) Build 16.0.5435.1001 
• Microsoft Office 2016 (64-bit edition) Build 16.0.5435.1001 
• Microsoft Office 2016 (64-bit edition) Build 16.0.5435.1000 
• Microsoft Office 2016 (32-bit edition) Build 16.0.5435.1001 
• Microsoft Office 2016 (32-bit edition) Build 16.0.5435.1001 
• Microsoft Office 2016 (32-bit edition) Build 16.0.5435.1001 
• Microsoft Office 2016 (32-bit edition) Build 16.0.5435.1000 
• Microsoft Office LTSC 2021 for 32-bit editions 
• Microsoft Office LTSC 2021 for 64-bit editions 
• Microsoft 365 Apps for Enterprise for 64-bit Systems 

• Microsoft 365 Apps for Enterprise for 32-bit Systems 
• Microsoft Office 2019 for 64-bit editions 
• Microsoft Office 2019 for 32-bit editions 

Office Protected View is a security feature that forces an externally acquired file to be opened as Read Only in a temporary sandboxed environment. This feature allows the user to preview the file without enabling editing and other potentially exploitable functions of the Office suite. The user can verify the contents of the file and choose to trust the file and enable editing. 

According to the Microsoft Security Response Center, this low complexity attack vector is exploited when a threat actor uses a specially crafted malicious URL that bypasses the Office Protected View feature which could lead to Remote Code Execution (RCE) and leaking of local NTLM credentials. 

On 17 February 2024, a Proof of Concept (PoC) targeting this vulnerability was publicly released on GitHub by security researcher Alexander Hagenah. 

Impact  

The attack path of this vulnerability could be exploited to result in many adverse impacts, including data exfiltration, data encryption, or credential harvesting.

Due to the criticality of this vulnerability and its potential exploitation, devices using affected versions of Outlook should be treated as an optimal target for a threat actor and patched as a priority for the business, to prevent exfiltration of data and leakage of Personally Identifiable Information (PII), and other sensitive data. 

Mitigation Actions 

Triskele Labs recommends implementing the security updates released by Microsoft immediately to ensure permanent mitigation. Automated updates from the following release channels include the security update required to mitigate the threat posed by CVE-2024-21413. 

• Current Channel: Version 2401 (Build 17231.20236) 
• Monthly Enterprise Channel: Version 2312 (Build 17126.20190) 
• Monthly Enterprise Channel: Version 2311 (Build 17029.20178) 
• Semi-Annual Enterprise Channel (Preview): Version 2308 (Build 16731.20550) 
• Semi-Annual Enterprise Channel: Version 2308 (Build 16731.20550) 
• Semi-Annual Enterprise Channel: Version 2302 (Build 16130.20916) 
• Semi-Annual Enterprise Channel: Version 2208 (Build 15601.20870) 
• Office 2021 Retail: Version 2401 (Build 17231.20236) 

• Office 2019 Retail: Version 2401 (Build 17231.20236) 
• Office 2016 Retail: Version 2401 (Build 17231.20236) 
• Office LTSC 2021 Volume Licensed: Version 2108 (Build 14332.20637) 
• Office 2019 Volume Licensed: Version 1808 (Build 10407.20032) 

Affected versions and additional details about each required update can be found in the table below. 

Triskele Labs DefenceShield customers with our Assess service (Vulnerability Scanning) are currently being scanned.

All customers with our Monitor service (24x7x365 Managed Detection and Response) are - as always - being monitored closely for related Indicators of Compromise (IOCs) and Tactics, Techniques and Procedures (TTPs). 

References 

References used for the generation of this release: 

• https://nvd.nist.gov/vuln/detail/CVE-2024-21413 
• https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/microsoft-office-outlook-remote-code-execution-vulnerability 
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21413 
• https://www.cve.org/CVERecord?id=CVE-2024-21413 
• https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-microsoft-outlook-and-the-big-picture/
  
• https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability