CVE-2024-38021

Improper Input Validation (CWE-20)

Published: Jul 9, 2024

010
CVSS 8.8EPSS 0.12%High
CVE info copied to clipboard

Summary

Microsoft Office Remote Code Execution Vulnerability. This vulnerability allows remote code execution with a network-based attack vector. It requires user interaction but does not need privileges. The attack complexity is low.

Impact

If exploited, this vulnerability could lead to high impacts on confidentiality, integrity, and availability of the affected system. An attacker could potentially execute arbitrary code with the privileges of the current user, potentially gaining control over the system, accessing sensitive information, or disrupting normal operations.

Exploitation

There is no evidence that a public proof-of-concept exists. Its exploitation has been reported by various sources, including krebsonsecurity.com.

Patch

A patch is available. Microsoft has released an official fix for this vulnerability on July 9, 2024.

Mitigation

1. Apply the official patch released by Microsoft as soon as possible. 2. Implement network segmentation to limit the exposure of vulnerable systems. 3. Educate users about the risks of interacting with untrusted content or files, as user interaction is required for exploitation. 4. Use the principle of least privilege to limit the potential impact if exploitation occurs. 5. Keep all Microsoft Office products and related software up to date with the latest security updates. 6. Consider implementing application whitelisting to prevent unauthorized code execution.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (110470)

Jul 9, 2024 at 7:53 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Jul 9, 2024 at 5:05 PM / microsoft
CVE Assignment

NVD published the first details for CVE-2024-38021

Jul 9, 2024 at 5:15 PM
First Article

Feedly found the first article mentioning CVE-2024-38021. See article

Jul 9, 2024 at 5:17 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 9, 2024 at 5:34 PM
Threat Intelligence Report

CVE-2024-38021 is a critical Remote Code Execution vulnerability affecting Microsoft Office 2016 with a CVSSv3 score of 8.8. While there are no known proof-of-concept exploits in the wild, successful exploitation could lead to elevated privileges for an attacker. Microsoft has not released a patch yet, but recommends users be cautious of suspicious links to mitigate the risk of exploitation. See article

Jul 9, 2024 at 7:06 PM
Exploitation in the Wild

Attacks in the wild have been reported by InoAll2RSS. See article

Jul 9, 2024 at 7:59 PM / InoAll2RSS
Trending

This CVE started to trend in security discussions

Jul 9, 2024 at 8:59 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (202025)

Jul 9, 2024 at 11:15 PM
Static CVE Timeline Graph

Affected Systems

Microsoft/office
+null more

Patches

Microsoft
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

References

Announcing the BlueHat 2024 Sessions
We are thrilled to reveal the lineup of speakers and presentations for the 23rd BlueHat Security Conference, in Redmond WA from Oct 29-30. This year’s conference continues the BlueHat ethos and Secure Future Initiative mission of “Security Above All Else”.
CVE-2024-38021 - Security Update Guide - Microsoft - Microsoft Outlook Remote Code Execution Vulnerability
There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).
Microsoft Outlook Remote Code Execution Vulnerability
Is the Preview Pane an attack vector for this vulnerability? According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R).
See 8 more references

News

Microsoft patched four zero-day vulnerabilities - Technology For You
While we don’t have insight into the in-the-wild exploitation of CVE-2024-43451 at this time, one thing is certain: attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes, as they can be used to authenticate to systems and potentially move laterally within a network to access other systems. “There were two other zero-day vulnerabilities patched this month – CVE-2024-49019, an elevation of privilege flaw in Active Directory Certificate Services (AD CS) and CVE-2024-49040, a spoofing vulnerability in Microsoft Exchange Server.
Tal's DEF CON 32 Solo Watch Party
An attacker can run with the permissions of the vulnerable repo, receiving an identity token from GitHub with the claim in the format, which matches the lax format, allowing access to cloud resources. Since this protection obviously shouldn’t work cross-account (in my account I’m an admin and can freely, but would this allow me to use a service role in another account?), the operation is then always blocked by AWS.
Microsoft Fixes 90 New Flaws, Including Actively Exploited NTLM and Task Scheduler Bugs
The highest-rated vulnerability in this month's release is a remote code execution flaw in Azure CycleCloud ( CVE-2024-43602, CVSS score: 9.9), which allows an attacker with basic user permissions to gain root-level privileges. The update also fixes a critical cryptographic protocol flaw impacting Windows Kerberos ( CVE-2024-43639, CVSS score: 9.8) that could be abused by an unauthenticated attacker to perform remote code execution.
2 Zero-Day Bugs in Microsoft’s Nov. Update Under Exploit
One of the zero-day bugs that attackers are already actively exploiting is CVE-2024-43451 (CVSS 6.5 out of 10), a flaw that discloses a user’s NTLMv2 hash for validating credentials in Windows environments. The second bug under active exploit in Microsoft’s latest update is CVE-2024-49039 (CVSS 8.8), a Windows Task Scheduler elevation of privilege bug that allows an attacker to execute remote procedure calls (RPC) normally available only to privileged accounts.
2 Zero-Day Bugs in Microsoft's Nov. Update Under Active Exploit
One of the zero-day bugs that attackers are already actively exploiting is CVE-2024-43451 (CVSS 6.5 out of 10), a flaw that discloses a user's NTLMv2 hash for validating credentials in Windows environments. The second bug under active exploit in Microsoft's latest update is CVE-2024-49039 (CVSS 8.8), a Windows Task Scheduler elevation of privilege bug that allows an attacker to execute remote procedure calls (RPC) normally available only to privileged accounts.
See 164 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI