A Grim Outlook for Microsoft with MonikerLink and Exchange Vulnerabilities

Microsoft's Patch Tuesday updates in February 2024 include critical fixes for two zero-day vulnerabilities: CVE-2024-21413 impacting Microsoft Outlook (called MonikerLink) and CVE-2024-21410 impacting Microsoft Exchange Server. The former allows remote code execution to access and leak privileged information, while the latter permits privilege escalation (potentially using credentials leaked by the former). These security risks expose a victim's machine to potentially malicious arbitrary code execution.

Dual vulnerabilities: CVE-2024-21413 and CVE-2024-21410

With two zero-day vulnerabilities impacting different Microsoft products, you may wonder what they mean and how you're impacted. While you may be vulnerable to one or both of these cybersecurity vulnerabilities, you are at increased risk if you use both because attackers can leverage the two vulnerabilities in sequential attacks.

CVE-2024-21413: The #MonikerLink bug

CVE-2024-21413, also called MonikerLink, is a remote code execution vulnerability in Microsoft Office, specifically impacting the Microsoft Outlook email client. If you use the Outlook service and you have not run the security updates from Microsoft, your use of Outlook is potentially vulnerable.

Though the MonikerLink vulnerability is currently awaiting analysis in the National Vulnerability Database, Microsoft has supplied a base score of 9.8 in the Common Vulnerability Scoring System (CVSS), indicating critical impact among confidentiality, integrity, and availability. An unauthenticated attacker can perform arbitrary code execution with read, write, and delete privileges on the system, which may lead to system compromise, data exfiltration, and data breaches.

Identified by Haifei Li and Check Point Research, this vulnerability exploits Outlook's API for the Component Object Model (COM) on Windows. With this bug, cybercriminals can craft malicious links that take advantage of Microsoft monikers and Outlook API calls in [.rt-script]file://[.rt-script] hyperlinks to access COM objects. Appending the exclamation mark [.rt-script]![.rt-script] character to a specially crafted URL enables an attacker to bypass protection mechanisms like Outlook warnings and Protected View in Word and other Office applications. If applied when accessing the [.rt-script]test.rtf[.rt-script] file over port [.rt-script]445[.rt-script], then authentication credentials for the New Technology LAN Manager (NTLM) are leaked during the process.

Microsoft's security vulnerability release for CVE-2024-21413 lists updates available for the following products:

  • Microsoft Office 2016 (64-bit edition)
  • Microsoft Office 2016 (32-bit edition)
  • Microsoft Office LTSC 2021 for 32-bit editions
  • Microsoft Office LTSC 2021 for 64-bit editions
  • Microsoft 365 Apps for Enterprise for 64-bit Systems
  • Microsoft 365 Apps for Enterprise for 32-bit Systems
  • Microsoft Office 2019 for 64-bit editions
  • Microsoft Office 2019 for 32-bit editions

Users with Microsoft Office 2016 must run a series of updates to ensure a patched system.

CVE-2024-21410: The Exchange escalation

CVE-2024-21410 is a privilege escalation vulnerability in Microsoft Exchange Server and affects all versions except those already updated with Cumulative Update 14.

Like the MonikerLink security flaw, the Exchange escalation vulnerability has a CVSS score of 9.8 with a total loss of confidentiality, integrity, and availability. An attacker who has access to NTLM credentials, such as by compromising Outlook with the MonikerLink bug, can use the leaked credentials to authenticate as a privileged user on the Exchange server in a pass-the-hash attack. Once authenticated, hackers can then perform operations as the user, such as data theft or malware and ransomware installation.

Microsoft has provided an update to mitigate NTLM relay attacks in the Exchange Server 2019 Cumulative Update 14. The update enables Extended Protection for Authentication (EPA) by default, among other security updates. In the security vulnerability release for CVE-2024-21410, Microsoft identifies the following release updates for Microsoft Exchange Server:

  • Microsoft Exchange Server 2019 Cumulative Update 14
  • Microsoft Exchange Server 2019 Cumulative Update 13
  • Microsoft Exchange Server 2016 Cumulative Update 23

EPA is mandatory in the most recent build, whereas previous updates offered the mitigation as an optional release.

UpGuard's vulnerability detection identifies when you use Exchange Server, as well as known vulnerabilities for the service, such as its previous compromise by a suite of vulnerabilities in spring 2021. UpGuard detects the version in use so you can audit your and your vendors' use of the service for potentially affected versions.

How to respond to CVE-2024-21413 and CVE-2024-21410

If you use Microsoft Outlook or Microsoft Exchange Server, you should immediately apply Microsoft's updates as specified in the Microsoft Security Response Center. Because these two vulnerabilities can be combined by threat actors to gain access and lateral movement within your system, it is critical to update both services for protection against leaked NTLM credentials that can be leveraged in an authentication attack.

Run the Microsoft HealthChecker

To validate your Exchange Server configuration, use Microsoft's Health Checker script. You can evaluate configuration settings and identify common issues.

For example, run the following cmdlet to collect vulnerability information for all your Exchange Servers:

[.rt-script]PS C:\> .\HealthChecker.ps1 -VulnerabilityReport[.rt-script]

If you work with third-party vendors that use Microsoft Exchange Server, request that they apply the same mitigation update and run the Health Checker to demonstrate they have applied the mitigation correctly.

Improve email security practices

Between the COM manipulation attacks on Microsoft Outlook and recent phishing attacks on Microsoft Azure, email security is a major concern. Exercise caution around unsolicited emails and educate your employees on how to identify phishing and other malicious emails.

Apply security measures like Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC) to create additional layers of protection to your email setup.

Assess your supply chain with UpGuard

With UpGuard BreachSight, you can identify and evaluate attack vectors in your publicly accessible infrastructure. CVE-2024-21410 has been added to UpGuard's vulnerability library, so you can search for CVE-2024-21410 in your BreachSight Vulnerabilities module. To determine if third-party vendors in your supply chain are impacted, use UpGuard Vendor Risk for security concerns in your supply chain.

Screencapture of the Microsoft Exchange Server vulnerability finding in UpGuard Vendor Risk
Identify potential vulnerabilities in your third-party vendor ecosystem like vendor use of Microsoft Exchange Server.

Your BreachSight Risk Profile and the Vendor Risk Portfolio Risk Profile identify what assets may be impacted with a finding for potential vulnerabilities in Microsoft Exchange Server. Cross-check your version with the impacted versions to ensure that your system is protected against possible exploitation. We will continue monitoring this situation for more information on NTLM-related vulnerabilities.

Evaluate your incident response plan

Ensure that you are prepared for these and future cyber threats by reviewing your current incident response plan. Brief your threat intelligence team on your current use of Microsoft Outlook and Microsoft Exchange Server, as well as the time period between the vulnerability identification and when you applied the security update, so they know what security issues to investigate.

Ready to see
UpGuard in action?