Adding a single character to a function in the previous Outlook patch rendered that fix useless, researchers say.
May 10, 2023
Call it a patch for a broken patch.
Microsoft's May 2023 security update includes a patch for a vulnerability that allows attackers to easily bypass a fix the company issued in March for a critical privilege-escalation bug in Outlook that attackers have already exploited.
That bug, tracked as CVE-2023-23397, allows attackers a way to steal a user's password hash by coercing the victim's Microsoft Outlook client to connect to an attacker-controlled server. Microsoft, at the time, addressed the issue with a patch that essentially prevented the Outlook client from making such connections.
But a researcher from Akamai examining the fix found another issue in a related Internet Explorer component that allowed him to bypass the patch altogether — by adding just a single character to it.
Microsoft assigned a separate identifier for the new bug (CVE-2023-29324) and issued a patch for it in this month's Patch Tuesday batch.
In its vulnerability release notes, Microsoft described the CVE-2023-29324 as a bug that allows attackers to craft a malicious URL that could evade the zone checks the company had implemented in the patch for the March flaw.
This could result in "a limited loss of integrity and availability of the victim machine," Microsoft said. The company assessed the bug to be of moderate severity even though it also described it as one that attackers are more likely to exploit.
Microsoft is advising organizations to implement both the March patch for CVE-2023-23397 and the May patch for CVE-2023-29324 to be fully protected.
CVE-2023-29324 is a remotely exploitable, zero-click vulnerability that renders the patch for the original Outlook vulnerability useless, researchers at Akamai say.
"The vulnerability is easily triggered, as [it] doesn't require any special expertise," says Ben Barnea, the researcher at Akamai who discovered the new bug. "In fact, there are many PoCs available on the Internet for the original Outlook vulnerability, and they can be easily adapted to use the new bypass."
The original Outlook flaw, CVE-2023-23397, is a bug that basically allows an unauthenticated attacker to steal a user's NTLM credentials — or password hash — and use them to authenticate to other services. Attackers can exploit the flaw by sending the victim a specially crafted email that triggers automatically when the Outlook client retrieves and processes the email — and before the user has even viewed it in the Preview Pane.
Attackers can use the vulnerability to force a connection from the victim's Outlook client to an attacker-controlled server so they could steal the victims NTLM hash. The bug affects all supported Windows versions.
Barnea's analysis of the bug showed it stemmed from the manner in which Outlook handles emails containing a reminder with a custom notification sound.
The bug allows an attacker to specify what is known as a UNC path that would cause the Outlook client to retrieve the sound file from any SMB server including an attacker controller one. A Universal Naming Convention (UNC) naming path basically provides a standard way to locate and access shared resources on a network such as files, folders, and printers.
Microsoft addressed the issue by ensuring the relevant Outlook code calls a Windows API function (called MapUrlToZone) that verifies the security zone of a given URL. Security zones in Windows can include local machine zone, intranet zone, and trusted zones. The patch ensures that if the path to the sound file pointed to an Internet URL, the default reminder sound from a local security zone is used instead of the custom audio sound, Akamai said.
Barnea found that by adding a single '' to the UNC path, an attacker could create a URL that MapUrlToZone would assess as belonging in the local security zone, while also allowing the custom audio file to be downloaded from an external SMB server.
"MapUrlToZone is problematic here. It's used as a security measure, but the function itself contained a bug," Barnea says.
The patch for the original Outlook vulnerability (CVE-2023-23397) used a function that's supposed to parse a path and return whether it's local or remote.
"This addition was meant to prevent an outgoing connection from Outlook to remote servers to fetch a notification sound file," Barnea says. "We found a specific path for which the function incorrectly returns a wrong verdict — 'local' instead of 'remote.' This allows us to 'fool' the function and use this path to exploit the original Outlook vulnerability."
Barnea says the original Outlook vulnerability and the subsequent bypass flaw that Akamai discovered are the only two instances the company knows of that targeted the custom reminder sound feature in Outlook. However, for attackers the feature presents an interesting surface for remote, unauthenticated attacks, he says. "We believe it should be removed altogether."
Microsoft did not respond immediately to a Dark Reading request for comment on Akamai's claims about the severity of the bug and the threat it presents.
Jai Vijayan, Contributing Writer
Contributing Writer, Dark Reading
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.
You May Also Like
2024 API Security Trends & Predictions
What’s In Your Cloud?
Everything You Need to Know About DNS Attacks
Tips for Managing Cloud Security in a Hybrid Environment
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
The State of Supply Chain Threats
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Everything You Need to Know About DNS Attacks
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
Pixelle’s OT Security Triumph with Security Inspection
Migrations Playbook for Saving Money with Snyk + AWS
Buyer’s Guide: Choosing a True DevSecOps Solution for Your Apps on AWS
The Need for a Software Bill of Materials
The Developers Guide to API Security
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.
Leave a Reply