As part of our ongoing efforts to identify newer vulnerabilities in Microsoft Office applications, Morphisec researchers have discovered two additional critical vulnerabilities in the Microsoft Outlook application which were reported to Microsoft following the standard responsible disclosure policies. Microsoft has addressed these issues in the current patch cycle for August 2024. 

The vulnerability covered by CVE-2024-38173, is a Form Injection RCE vulnerability akin to CVE-2024-30103 (a vulnerability disclosed and patched in July), which if exploited could lead to arbitrary code execution resulting in potential data breaches, unauthorized access and other malicious activities.  

As was the case with CVE-2024-30103, this again is a zero-click vulnerability and does not require user interaction on systems with Microsoft's auto-open email feature enabled.  

CVE-2024-38173 Technical Impact

As part of the same patching cycle, several additional CVEs were released, some introducing techniques to hijack and leak NTLM. We will cover the details in a separate post. Both vulnerabilities are critical as attackers could theoretically chain them and build a full attack chain allowing the adversary complete control of the system without the need for prior authentication. 

As CVE-2024-38173 is a zero-click vulnerability, aside from opening or previewing the email, it does not require the user to interact with the content of a malicious email thus allowing the adversary to gain foothold into the organization.

Timeline of Events

• June 16, 2024: CVE-2024-38173 RCE was reported to Microsoft by Morphisec researchers as part of the responsible disclosure policy.
• June 21, 2024: The vulnerability was confirmed. 

Patch Release and Urgent Call to Action

Patch Deployment: Ensure that all Microsoft Outlook and Office applications are updated with the latest patches as soon as they are available.  

Hardening: Block outbound SMB and enforce Kerberos authentication. 

Email Security: Implement robust email security measures, including disabling automatic email previews if possible.  

User Awareness: Educate users about the risks associated with opening emails from unknown or suspicious sources.  

Ensuring optimal and comprehensive coverage across the security stack with EDR and Automated Moving Target Defense (AMTD) reduces further risk and will offer endpoint assurance against known and unknown attacks.  

Research and Discovery Process

Morphisec’s research involved extensive fuzzing and reverse engineering of Microsoft Outlook's codebase to identify the specific conditions that led to the discovery of these Microsoft Outlook vulnerabilities. The findings were then thoroughly documented and reported to Microsoft (as per responsible disclosure process), ensuring a collaborative approach to addressing the issue. 

On-Demand Outlook RCE Webinar

The Morphisec Threat Labs team presented their technical findings about recently patched RCE Outlook vulnerabilities CVE-2024-30103 and CVE-2024-38021 on the main stage at DEF CON 32. If you weren't able to attend in person, watch the on-demand webinar to hear directly from those that discovered these vulnerabilities and to learn more about the vulnerabilities. Watch now.