A new critical vulnerability impacting Microsoft Office, identified by the reference CVE-2024-21413, has been reported. It has been assigned a CVSS 3.1 score of 9.8. It should be noted that, an important number of proofs of concepts are freely available, enabling a huge potential of exploitation by threat actors. The Stormshield Customer Security Lab details our protection offerings.

This vulnerability impacts the following products:

  • Microsoft Office 2016
  • Microsoft Office 2019
  • Microsoft Office 2021
  • Microsoft 365 Apps

The OWA (Outlook Web Application) version is not impacted.

 

The context of Microsoft Office vulnerability

The vulnerability CVE-2024-21413 allows an attacker to:

  • Execute an arbitrary code through the indirect opening of an Office document bypassing the protected mode;
  • Disclose sensitive information on the identity of the user (hash NTLM).

In the first case, a payload could be executed in the context of the targeted Office program.

In the second case, the NTLM hash could be reused in a Pass-The-Hash attack in order to spoof the identity of the user.

 

Technical details of Microsoft Office vulnerability

The root cause of this vulnerability comes from the interpretation of some hypertext links by the Office suite, especially the links relying on the COM Monikers technology.

If this link is pointing to a SMB share – in the form \\<Malicious_IP>\file – then the Office program will automatically try to authenticate on this remote server by sending it the NTLM hash of the current user. If this SMB server is sending a malicious file like an RTF, then a program likes Microsoft Word will load the file and executes it.

 

Attack modelling with MITRE ATT&CK

  • Kill chain: Delivery

MITRE ATT&CK techniques:

  • T1566.002 - Phishing: Spearphishing Link
  • T1559.001 - Inter-Process Communication
  • T1204.001 - User Execution: Malicious Link

 

Microsoft Office vulnerability: Stormshield protections

Protection with Stormshield Network Security

Stormshield Network Security (SNS) firewalls detect and block exploitation of CVE-2024-21413 with its protocol inspection:

  • smtp:client.15 : eMail : Microsoft Outlook malicious Moniker link (CVE-2024-21413)

For this protection to be efficient, the traffic must be decrypted.

Confidence index for the protection offered by Stormshield

Confidence index for the absence of false positives

Recommendations regarding the Microsoft Office vulnerability

At the time of writing, a patch of the Office suite is already available. It is highly recommended to update the product through Windows Update.

The details of the patch are available on the Microsoft website to the following address.

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Need more information about Stormshield protection? The Technical Support teams are at your disposal to help you. Contact them through the incident manager located in the MyStormshield private area. To access it, select the menu "Technical Support / Report an incident / Track an incident".
Stormshield's Cyber Threat Intelligence team has two primary missions: to study cyber threats to understand them and to continuously improve Stormshield product protections. All with the goal of contributing to the cybersecurity community's effort to address cyber threats.