A Grim Outlook for Microsoft with MonikerLink and Alternate Vulnerabilities | Cybersecurity

Microsoft’s Patch Tuesday updates in February 2024 embody vital fixes for 2 zero-day vulnerabilities: CVE-2024-21413 impacting Microsoft Outlook (known as MonikerLink) and CVE-2024-21410 impacting Microsoft Alternate Server. The previous permits distant code execution to entry and leak privileged info, whereas the latter permits privilege escalation (probably utilizing credentials leaked by the previous). These safety dangers expose a sufferer’s machine to probably malicious arbitrary code execution.

Twin vulnerabilities: CVE-2024-21413 and CVE-2024-21410

With two zero-day vulnerabilities impacting totally different Microsoft merchandise, you might marvel what they imply and the way you are impacted. Whilst you could also be weak to 1 or each of those cybersecurity vulnerabilities, you might be at elevated threat if you happen to use each as a result of attackers can leverage the 2 vulnerabilities in sequential assaults.

CVE-2024-21413: The #MonikerLink bug

Although the MonikerLink vulnerability is at the moment awaiting evaluation within the Nationwide Vulnerability Database, Microsoft has equipped a base rating of 9.8 within the Widespread Vulnerability Scoring System (CVSS), indicating vital impression amongst confidentiality, integrity, and availability. An unauthenticated attacker can carry out arbitrary code execution with learn, write, and delete privileges on the system, which can result in system compromise, information exfiltration, and information breaches.

Recognized by Haifei Li and Test Level Analysis, this vulnerability exploits Outlook’s API for the Part Object Mannequin (COM) on Home windows. With this bug, cybercriminals can craft malicious hyperlinks that benefit from Microsoft monikers and Outlook API calls in [.rt-script]file://[.rt-script] hyperlinks to entry COM objects. Appending the exclamation mark [.rt-script]![.rt-script] character to a specifically crafted URL permits an attacker to bypass safety mechanisms like Outlook warnings and Protected View in Phrase and different Workplace purposes. If utilized when accessing the [.rt-script]check.rtf[.rt-script] file over port [.rt-script]445[.rt-script], then authentication credentials for the New Know-how LAN Supervisor (NTLM) are leaked throughout the course of.

Microsoft’s safety vulnerability launch for CVE-2024-21413 lists updates accessible for the next merchandise:

Microsoft Workplace 2016 (64-bit version)Microsoft Workplace 2016 (32-bit version)Microsoft Workplace LTSC 2021 for 32-bit editionsMicrosoft Workplace LTSC 2021 for 64-bit editionsMicrosoft 365 Apps for Enterprise for 64-bit SystemsMicrosoft 365 Apps for Enterprise for 32-bit SystemsMicrosoft Workplace 2019 for 64-bit editionsMicrosoft Workplace 2019 for 32-bit editions

Customers with Microsoft Workplace 2016 should run a collection of updates to make sure a patched system.

CVE-2024-21410: The Alternate escalation

CVE-2024-21410 is a privilege escalation vulnerability in Microsoft Alternate Server and impacts all variations besides these already up to date with Cumulative Replace 14.

Just like the MonikerLink safety flaw, the Alternate escalation vulnerability has a CVSS rating of 9.8 with a complete lack of confidentiality, integrity, and availability. An attacker who has entry to NTLM credentials, reminiscent of by compromising Outlook with the MonikerLink bug, can use the leaked credentials to authenticate as a privileged person on the Alternate server in a pass-the-hash assault. As soon as authenticated, hackers can then carry out operations because the person, reminiscent of information theft or malware and ransomware set up.

Microsoft has offered an replace to mitigate NTLM relay assaults within the Alternate Server 2019 Cumulative Replace 14. The replace permits Prolonged Safety for Authentication (EPA) by default, amongst different safety updates. Within the safety vulnerability launch for CVE-2024-21410, Microsoft identifies the next launch updates for Microsoft Alternate Server:

Microsoft Alternate Server 2019 Cumulative Replace 14Microsoft Alternate Server 2019 Cumulative Replace 13Microsoft Alternate Server 2016 Cumulative Replace 23

EPA is obligatory in the latest construct, whereas earlier updates supplied the mitigation as an optionally available launch.

Cybersecurity’s vulnerability detection identifies whenever you use Alternate Server, in addition to identified vulnerabilities for the service, reminiscent of its earlier compromise by a set of vulnerabilities in spring 2021. Cybersecurity detects the model in use so you possibly can audit your and your distributors’ use of the service for probably affected variations.

How to answer CVE-2024-21413 and CVE-2024-21410

In case you use Microsoft Outlook or Microsoft Alternate Server, you need to instantly apply Microsoft’s updates as specified within the Microsoft Safety Response Middle. As a result of these two vulnerabilities will be mixed by menace actors to achieve entry and lateral motion inside your system, it’s vital to replace each companies for defense in opposition to leaked NTLM credentials that may be leveraged in an authentication assault.

Run the Microsoft HealthChecker

To validate your Alternate Server configuration, use Microsoft’s Well being Checker script. You may consider configuration settings and establish frequent points.

For instance, run the next cmdlet to gather vulnerability info for all of your Alternate Servers:

[.rt-script]PS C:> .HealthChecker.ps1 -VulnerabilityReport[.rt-script]

In case you work with third-party distributors that use Microsoft Alternate Server, request that they apply the identical mitigation replace and run the Well being Checker to reveal they’ve utilized the mitigation accurately.

Enhance e mail safety practicesAssess your provide chain with Cybersecurity

With Cybersecurity Breach Danger, you possibly can establish and consider assault vectors in your publicly accessible infrastructure. CVE-2024-21410 has been added to Cybersecurity’s vulnerability library, so you possibly can seek for CVE-2024-21410 in your Breach Danger Vulnerabilities module. To find out if third-party distributors in your provide chain are impacted, use Cybersecurity Vendor Danger for safety issues in your provide chain.

Determine potential vulnerabilities in your third-party vendor ecosystem like vendor use of Microsoft Alternate Server.

Your Danger Profile in Breach Danger and the Vendor Danger Portfolio Danger Profile establish what property could also be impacted with a discovering for potential vulnerabilities in Microsoft Alternate Server. Cross-check your model with the impacted variations to make sure that your system is protected in opposition to potential exploitation. We are going to proceed monitoring this case for extra info on NTLM-related vulnerabilities.

Consider your incident response plan

Guarantee that you’re ready for these and future cyber threats by reviewing your present incident response plan. Temporary your menace intelligence workforce in your present use of Microsoft Outlook and Microsoft Alternate Server, in addition to the time interval between the vulnerability identification and whenever you utilized the safety replace, in order that they know what safety points to analyze.

Prepared to avoid wasting time and streamline your belief administration course of?