Email Threat Protection , Fraud Management & Cybercrime , Governance & Risk Management

Researchers Find Bypass for a Fixed Bug; MSFT Patches Again

Akamai Says Exploit Sidesteps Patched Vulnerability Exploited by Russian Hackers
Researchers Find Bypass for a Fixed Bug; MSFT Patches Again
Image: Shutterstock

Security researchers say a slight modification to a Microsoft Exchange zero day attack used by Russian state hackers can bypass a patch the computing giant introduced in March.

See Also: Securing Your Workforce with Datto RMM: Automating Patching, Hardening, and Backups

Microsoft patched the modified attack - tracked as CVE-2023-29324 - during this month's dump of fixes, rating the bug as "important" but not "critical."

Researchers from Akamai, which found and disclosed the bug, say it merits an critical rating.

"We found a remotely exploitable, 0-click vulnerability that can be used to bypass the patch. More precisely, we found that the addition of a single character renders the patch useless," the Akamai research team said in a Tuesday afternoon statement. The content delivery giant says Microsoft told it any Exchange server updated in March would stop an Outlook client from falling to the modified attack.

The original bug, CVE-2023-23397, is a Microsoft Outlook elevation of privilege vulnerability that allows a remote attackers to send a specially crafted email that leaks the targeted user's hashed Windows account password, allowing the attacker to authenticate into other systems. Threat intel firm Mandiant disclosed in March that the Russian GRU hacking group known as APT28 - also dubbed Fancy Bear – had been exploiting the vulnerability since spring 2022. Targets included government agencies and logistics, oil, defense and transportation industries located in Poland, Ukraine, Romania and Turkey (see: Microsoft Fixes Russia-Exploited Zero-Day).).

The original vulnerability triggered when an attacker sent an email containing a reminder with a custom notification sound. The exploit worked by specifying the custom sound as a universal naming convention path, causing Outlook to retrieve the sound file from a remote server. With the patch in place, Outlook first verifies that the specificed path does not refer to an internet URL.

Akamai reseracher Ben Barnea said he found a way to trick Outlook into treating a UNC path pointing to the internet as if it were a local path, bypassing the fix. All an attacker needs to do, he said, is an an additional backward slash to the path.

UNC paths have a standard format of two backward slashes followed by server or host name. The Microsoft security feature MapURLtoZone, which checks whether a URL points to inside or outside a local network, would treat a file path submitted as double slash 'Akamai.comfile.wav' correctly as an internet URL. But double slash plus '.UNCAkamai.comfile.wav' triggers a MapURLtoZone response of zero - i.e., local path.

Akamai's write up of the exploit notes that Microsoft maintains that Exchange servers updated in March drop instructions to invoke a custom sound file, a property technically known as PidLidReminderFileParameter.

The root cause, Barnea also wrote, stems from the complex handling of paths in Windows. The ultimate fix, he said, would be to remove the custom reminder feature "as it poses more security risks than it provides value to users."

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.