Morphisec researchers have identified a significant vulnerability, CVE-2024-38021 — a zero-click remote code execution (RCE) vulnerability that impacts most Microsoft Outlook applications.
Unlike the previously discovered vulnerability CVE-2024-30103 disclosed in June —which required authentication (at least an NTLM token)— this new vulnerability does not require any authentication.
CVE-2024-38021 Vulnerability Details and Technical Impact
If exploited, CVE-2024-38021 can lead to potential data breaches, unauthorized access, and other malicious activities.
Microsoft has assessed this vulnerability with an "Important" severity rating. Their assessment differentiates between trusted and untrusted senders, noting that while the vulnerability is zero-click for trusted senders, it requires one click user interaction for untrusted senders.
Given the broader implications of this vulnerability, particularly its zero-click vector for trusted senders and its potential for much wider spread impact, we have requested Microsoft to reassess the severity and label it as "Critical." This reassessment is crucial to reflect the true risk and ensure adequate attention and resources are allocated for mitigation. The complexity for this RCE is higher than CVE-2024-30103, reducing the likelihood of short-term exploitation. However, the chaining of this vulnerability with another could potentially simplify the attack process.
Timeline of Events
April 21, 2024: The vulnerability was initially reported to Microsoft by Morphisec researchers as part of responsible disclosure policy.
April 26, 2024: The vulnerability was confirmed.
July 9, 2024: Microsoft included a patch for CVE-2024-38021 as part of its Patch Tuesday updates.
We commend Microsoft for addressing this vulnerability relatively quickly, especially considering its problematic nature and the complexity of the previous patch.
Exploitation Risk
Given its zero-click nature (for trusted senders) and lack of authentication requirements, CVE-2024-38021 poses a severe risk. Attackers could exploit this vulnerability to gain unauthorized access, execute arbitrary code, and cause substantial damage without any user interaction. The absence of authentication requirements makes it particularly dangerous, as it opens the door to widespread exploitation.
Patch Release and Urgent Call to Action
Patch Deployment: Ensure that all Microsoft Outlook and Office applications are updated with the latest patches as soon as they are available.
Email Security: Implement robust email security measures, including disabling automatic email previews if possible.
User Awareness: Educate users about the risks associated with opening emails from unknown or suspicious sources.
Ensuring optimal and comprehensive coverage across the security stack with EDR and Automated Moving Target Defense (AMTD) reduces further risk and will offer endpoint assurance against known and unknown attacks.
Research and Discovery Process
Morphisec’s research involved extensive fuzzing and reverse engineering of Microsoft Outlook's codebase to identify the specific conditions that led to the discovery of this Microsoft Outlook vulnerability. The findings were then thoroughly documented and reported to Microsoft (as per responsible disclosure process), ensuring a collaborative approach to addressing the issue.
Technical Details and Proof of Concept
The Morphisec Threat Labs team presented their technical findings about CVE-2024-30103 and CVE-2024-38021 on the main stage at DEF CON 32. If you weren't able to attend in person, watch the on-demand webinar to hear directly from those that discovered these vulnerabilities and to learn more about the vulnerabilities. Watch now.
How Morphisec can Help
At Morphisec, we utilize Automated Moving Target Defense (AMTD) techniques to significantly reduce the risk of exploitation from vulnerabilities like CVE-2024-38021. By continuously and dynamically altering the attack surface, Morphisec AMTD creates a highly challenging environment for potential attackers. This innovative and preventative approach strengthens the protection of our clients against a broad spectrum of sophisticated cyber threats.
Additionally, Morphisec’s AMTD technology acts as a virtual patch and compensating control for unpatched vulnerabilities. It proactively thwarts attacks on unpatched operating systems and application vulnerabilities by disrupting attack pathways, effectively dismantling an attacker’s framework.
Experience Morphisec firsthand — schedule a demo today.
.png?width=571&height=160&name=iso27001-(2).png)