Getty Images/iStockphoto

Akamai discloses zero-click exploit for Microsoft Outlook

During research into an older Microsoft Outlook privilege escalation vulnerability, Akamai discovered two new flaws that can be chained for a zero-click RCE exploit.

While examining a previous bypass mitigation, Akamai Technologies discovered two new Windows vulnerabilities that could allow an attacker to create a zero-click exploit against Microsoft Outlook clients.

In a two-part report published Monday, Akamai researcher Ben Barnea detailed the discovery of two new Windows vulnerabilities, tracked as CVE-2023-35384 and CVE-2023-36710, that were reported to and addressed by Microsoft. By chaining the two flaws, he was able to construct a remote code execution (RCE) exploit for Outlook that required no user interaction.

Barnea's research was inspired by his previous work on an Outlook mitigation bypass for CVE-2023-23397, a vulnerability that was disclosed and patched in March, but continues to be exploited by a Russian nation-state group. The new vulnerability, tracked as CVE-2023-29324, was disclosed in May, but Akamai and Microsoft disagreed over the severity.

Microsoft fixed the mitigation bypass in May, but Akamai recommended an additional mitigation step to increase security that went unheeded. Barnea confirmed that CVE-2023-23397 was triggered when an attacker sent an email that contained a custom notification sound and deemed that feature dangerous.

"After the patch for this vulnerability was released, we found a bypass that we described in a previous blog post. This bypass was fixed on the May 2023 Patch Tuesday," Barnea wrote in part one of the research. "In that publication, we recommended that Microsoft remove the abused feature, as it introduces a vast and complex attack surface. Since the feature remains in Outlook, we decided to investigate it further."

During the investigation into audio files, Barnea discovered two new Windows vulnerabilities that could be chained to conduct a remote attack on Outlook. CVE-2023-35384 is a security feature bypass vulnerability in the MapUrlToZone function that received a CVSS score of 6.5.

Barnea said exploitation requires an attacker to send an email to an Outlook client, which will then download a special file from the attacker's server. MapUrlToZone was the security measure Microsoft implemented to fix CVE-2023-23397, which Barnea proved he could bypass with CVE-2023-29324. In May, he disclosed that the function incorrectly classified local and remote paths.

The second vulnerability in the new exploit chain, CVE-2023-36710, is a Windows RCE flaw with a 7.8 CVSS score that Akamai discovered in the Audio Compression Manager (ACM). "This vulnerability is exploited when the downloaded sound file is autoplayed, and it can lead to code execution on the victim machine," Barnea wrote.

The researchers' goal was to determine whether Outlook could be manipulated into downloading a sound file from a remote location despite Microsoft's previous fixes. They continued to examine MapUrlToZone along with the CreateFile function, where sound files would be downloaded. Barnea bypassed mitigations in three attempts and was able to trick Outlook into incorrectly recognizing the functions as coming from a local path. In addition, he discovered that the chain could lead to mark-of-the-web bypasses as well as Windows New Technology LAN Manager (NTLM) credentials leaks that include domain names, usernames and passwords.

Akamai diagram of how attackers could exploit the original vulnerability for NTLM credential theft.
Akamai detailed a new mitigation bypass, but warned that NTLM credentials leaks continue to be a threat.

Part two of the series tested whether attackers could abuse Outlook's custom notification sound and play files on the target remotely. Researchers examined three attack surfaces: WAV format parsing, ACM and different audio codecs. It was during the third attempt when Barnea discovered the second vulnerability in the chain that allowed for RCE, tracked as CVE-2023-36710.

Barnea told TechTarget Editorial that of the two vulnerabilities in the exploit chain, the research team assessed CVE-2023-35384 as easier to exploit and therefore more likely to be exploited. The ACM flaw, CVE-2023-36710, "requires a more complex exploitation," he said.

While there are no reports of exploitation, Akamai warned that the threat vector is attractive to attackers. Microsoft Exchange and Outlook have come under attack multiple times in recent years, and the software giant has been criticized for its vulnerability patching practices. Security researchers say inadequate patches have failed to fully address root causes of vulnerabilities, leading to mitigation bypasses and new variant flaws.

"Although those vulnerabilities are fixed, attackers continue to look for similar attack surfaces and vulnerabilities that can be remotely exploited. As of now, the attack surface in Outlook that we researched still exists, and new vulnerabilities can be found and exploited. Although Microsoft patched Exchange to drop mails containing the PidLidReminderFileParameter property, we can not rule out the possibility of bypassing this mitigation," Barnea wrote in part two of the report.

TechTarget Editorial contacted Microsoft for comment on the chained exploit. A Microsoft spokesperson said, "These issues have been addressed, and customers who have installed the latest security updates are already protected."

Barnea told TechTarget Editorial that while the vulnerabilities have been patched, the custom sound notification feature poses risk to Outlook users. "We do hope Microsoft removes this feature, as just two weeks ago it was published that the original vulnerability, CVE-2023-23397, is still exploited in the wild after nine months since it was patched," he said.

Akamai advised following Microsoft's detection and mitigation guidance for the original Outlook vulnerability, CVE-2023-23397. Additional recommendations including microsegmentation to filter malicious IP addresses as well as disabling NTLM in the network environment.

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Dig Deeper on Threats and vulnerabilities