Microsoft recently reported that CVE-2023-23397, a critical Outlook vulnerability, is currently being exploited in the wild by a Russian-state-sponsored threat actor known as Forrest Blizzard.
This vulnerability allowed threat actors to exploit an Outlook client by extracting NTLM credentials while establishing a connection to the attacker-controlled server. Moreover, this vulnerability was also known to be a zero-click vulnerability.
CVE-2023-23397 was patched as part of the March 2023 security patches. However, a new bypass has been discovered as a workaround for the patch released by Microsoft. This bypass has been assigned with CVE-2023-35384 and severity as 6.5 (Medium).
In addition to this, a new remote code execution vulnerability, which exists in the Windows Media Foundation Core, has also been discovered. This vulnerability has been assigned with CVE-2023-36710, and the severity has been given as 7.8 (High).
CVE-2023-35384: Windows HTML Platforms Security Feature Bypass Vulnerability
This vulnerability exists in the CreateFile, in which a path separator can either be a forward slash or a backward slash. However, With the MapUrlToZone function, only the exact “\.” or “\?” paths are considered local device paths. This creates path-type confusion.
In other words, CreateFile treats the crafted input as a Windows Local Path, whereas MapUrlToZone treats it as a URL. This can be leveraged as an advantage to load a malicious audio file into Outlook as a means of bypassing the security patch.
A malicious audio file is played with the function mapWavePrepareHeader in the Audio Compression Manager. This function is vulnerable to an integer overflow attack as the function does not check for the size of the stream.
An attacker can use a malicious wave file with a size bigger or equal to 0xffffff50, which could result in exploiting this vulnerability. The smallest possible size with IMA ADP code is 1 GB, according to the calculations.
According to the reports shared with Cyber Security News, by combining these two vulnerabilities, an attacker can perform a zero-click remote code execution on a victim. Although Microsoft has patched this vulnerability, it is still evident that there are bypass methods for threat actors to exploit this vulnerability.
Furthermore, a complete report has been published by Akamai, providing detailed information about the Outlook vulnerability, source code, functions, workarounds, and other information.
Microsoft has also provided full guidance on detecting and mitigating the original Outlook vulnerability. It is recommended for every organization to follow the steps provided and remediate the vulnerabilities to prevent them from getting exploited.