Easily bypassed patch makes zero-click Outlook flaw exploitable again (CVE-2023-29324)

Among the vulnerabilities fixed by Microsoft on May 2023 Patch Tuesday is CVE-2023-29324, a bug in the Windows MSHTML platform that Microsoft rates as “important.”

Akamai’s research team and Ben Barnea, the researcher who’s credited with finding the flaw, disagree with that assessment, because “the new vulnerability [CVE-2023-29324] re-enables the exploitation of a critical vulnerability [CVE-2023-23397] that was seen in the wild and used by APT operators.”

About CVE-2023-23397

CVE-2023-23397 is an EoP bug in Microsoft Outlook that can be triggered without user interaction (aka “zero-click”).

“External attackers could send specially crafted emails that will cause a connection from the victim to an untrusted location of attackers’ control. This will leak the Net-NTLMv2 hash of the victim to the untrusted network which an attacker can then relay to another service and authenticate as the victim,” Microsoft explained in March 2023, when it provided a fix.

The email doesn’t have to be viewed or previewed by the user for the exploit to work – it just needs to be retrieved and processed by the Outlook client.

The vulnerability was reported by the Ukrainian CERT and Microsoft’s Incident and Treat Intelligence teams, after they discovered it getting exploited by a threat actor by sending out an email containing a reminder with a custom notification sound.

About CVE-2023-29324

CVE-2023-29324, on the other hand, is defined as a security feature bypass vulnerability that, according to Akamai researchers, could still have the same consequences as the critical original Outlook bug.

They discovered it when they analyzed the patch for CVE-2023-23397, which fixed the issue by changing the code flow in Outlook so that it now first checks whether the universal naming convention (UNC) path that retrieves the custom sound file refers to an internet URL and, if it does, it uses the default reminder sound instead of the custom one.

Unfortunately, they also found that that check (and consequently the patch) can be easily be borked by adding a single character that will change how a specific function categorizes the zone of the UNC path.

“This vulnerability is yet another example of patch scrutinizing leading to new vulnerabilities and bypasses,” they noted, and said that they hope Microsoft will fully remove the custom reminder sound feature, as it poses more security risks than it provides value to users.

“It is a zero-click media parsing attack surface that could potentially contain critical memory corruption vulnerabilities. Considering how ubiquitous Windows is, eliminating an attack surface as ripe as this is could have some very positive effects.”

In the meantime, the risk of exploitation of both CVE-2023-23397 and CVE-2023-29324 can be removed by implementing the patches, in that order. For more specific information, you should consult Microsoft’s security advisories.