Update required

A major alert was launched by CERT-FR under reference CERTFR-2024-ALE-005 regarding a critical vulnerability affecting Microsoft Outlook, an integral part of the Microsoft Office suite. The purpose of this article is to break down and analyze this vulnerability, identified as CVE-2024-21413, as well as recommendations for addressing it.

Reference and affected systems

The vulnerability affects versions of Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, as well as Microsoft 365 Apps, only in their Outlook component. It is important to note that the Outlook Web Application (OWA) web interface is not affected by this flaw.

Associated risks

The CVE-2024-21413 vulnerability poses significant risks, including remote arbitrary code execution and a potential breach of user data privacy. The method of exploiting this vulnerability is based on sending a malicious link via email, which can lead to:

• Obtaining a user’s NTLM digest via the SMB protocol.
• Opening a targeted Office document via a malicious link without enabling Microsoft Office Protected Mode opens the door to arbitrary remote code execution.

Protective measures and recommendations

In the face of this threat, CERT-FR published a series of recommendations February 22, 2024This emphasizes the importance of acting quickly to limit the risks of vulnerability exploitation.

Immediate application of the patch : It is crucial to apply the update provided by Microsoft without delay. Details for obtaining this hotfix are available in the Microsoft Security Bulletin dated February 13, 2024.

Restrict outgoing SMB flows : To strengthen security, it is recommended to restrict outgoing SMB flows (TCP/445), including mobile workstations, to protect data flows.

Malicious link detection : Using regular expressions and Yara rules can help identify email attack attempts. However, CERT-FR specifies that the effectiveness of these rules should be evaluated with caution.

Documentation and Resources

For more information, users and system administrators are encouraged to consult Microsoft Security Bulletins and the following resources:

• A Yara rule for detecting the CVE-2024-21413 vulnerability, proposed by researchers X__Junior and Florian Roth, is available on GitHub.
• Opinion CERTFR-2024-AVI-0127, dated February 14, 2024, is available on the CERT-FR website.

The discovery of the CVE-2024-21413 vulnerability in Microsoft Outlook is a reminder of the importance of vigilance and response to computer threats. Applying security updates, restricting potentially harmful flows, and increasing monitoring of email communications are essential steps to protect personal information and IT infrastructure.

Source de l'article et pour en savoir plus : https://www.cert.ssi.gouv.fr/alerte/CERTFR-2024-ALE-005/