PacketWatch Threat Intelligence

CVE-2024-21413: Microsoft Outlook Critical RCE | PacketWatch Threat Intelligence

Written by The PacketWatch Intelligence Team | Feb 15, 2024 12:09:50 AM

As part of this month's Patch Tuesday, Microsoft released a fix for a critical vulnerability affecting multiple Outlook versions.

The vulnerability, CVE-2024-21413 (aka MonikerLink), allows threat actors to bypass protections in Outlook for malicious links embedded in emails.

Successful exploitation can lead to theft of NTLM credential information and can be used in conjunction with other Office vulnerabilities to achieve remote code execution.

Additionally, it allows threat actors to bypass Protected View (which is designed to open Office documents in read-only mode) and instead open Office documents in editing mode.

For full details on the root cause of the vulnerability and proof-of-concept code, see the vulnerability research from Haifei Li here.

Affected Versions

  • Microsoft Office 2019 from 19.0.0
  • Microsoft 365 Apps for Enterprise from 16.0.1
  • Microsoft Office LTSC 2021 from 16.0.1
  • Microsoft Office 2016 from 16.0.0 before 16.0.5435.1000

Remediation

Administrators are strongly encouraged to apply the appropriate security updates from Microsoft.  The Microsoft security advisory with security update links can be found here.

PacketWatch strongly recommends blocking outbound traffic over port 445 at the external firewall.

Additional Resources


DISCLAIMER

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.