Akamai explained which systems can be compromised without your participation.
Ben Barnea from Akamai revealed technical details about two patched vulnerabilities in Windows. Vulnerabilities can be exploited for Remote Code Execution (RCE) in the Outlook mail service without any user interaction. The Akamai report is compiled in two parts [ 1, 2].
CVE-2023-35384 is related to the MapUrlToZone function, which can be used to send an email with a malicious file or URL to an Outlook client.
CVE-2023-35384 was described as a workaround for a critical privilege escalation vulnerability that Microsoft patched in March 2023 - CVE-2023-23397 (CVSS score: 9.8) allows an attacker to steal Net-NTLMv2 hashes and gain access to user accounts. In addition, CVE-2023-23397 was used by the APT28 group to gain unauthorized access to accounts on Exchange servers.
Vulnerability CVE-2023-36710 affects the Audio Compression Manager (ACM) component, an outdated Windows multimedia system. It is caused by Integer Overflow when playing a WAV file. Akamai was able to cause the vulnerability using the IMA ADP codec.
"The file size is approximately 1.8 GB. By performing a mathematical constraint operation in the calculation, we can conclude that the smallest possible file size with the IMA ADP codec is 1 GB," said Barnea.
To mitigate these risks, we recommend using micro-segmentation to block outgoing SMB connections to remote public IP addresses, as well as disabling NTLM or adding users to the protected user group, which prevents NTLM from being used as an authentication mechanism.
Ben Barnea from Akamai revealed technical details about two patched vulnerabilities in Windows. Vulnerabilities can be exploited for Remote Code Execution (RCE) in the Outlook mail service without any user interaction. The Akamai report is compiled in two parts [ 1, 2].
- CVE-2023-35384 (CVSS score: 6.5) is a vulnerability that bypasses the Windows HTML Platforms security feature. Discovered in August;
- CVE-2023-36710 (CVSS score: 7.8) is a Windows Media Foundation Core vulnerability related to remote code execution. Discovered in October.
CVE-2023-35384 is related to the MapUrlToZone function, which can be used to send an email with a malicious file or URL to an Outlook client.
CVE-2023-35384 was described as a workaround for a critical privilege escalation vulnerability that Microsoft patched in March 2023 - CVE-2023-23397 (CVSS score: 9.8) allows an attacker to steal Net-NTLMv2 hashes and gain access to user accounts. In addition, CVE-2023-23397 was used by the APT28 group to gain unauthorized access to accounts on Exchange servers.
Vulnerability CVE-2023-36710 affects the Audio Compression Manager (ACM) component, an outdated Windows multimedia system. It is caused by Integer Overflow when playing a WAV file. Akamai was able to cause the vulnerability using the IMA ADP codec.
"The file size is approximately 1.8 GB. By performing a mathematical constraint operation in the calculation, we can conclude that the smallest possible file size with the IMA ADP codec is 1 GB," said Barnea.
To mitigate these risks, we recommend using micro-segmentation to block outgoing SMB connections to remote public IP addresses, as well as disabling NTLM or adding users to the protected user group, which prevents NTLM from being used as an authentication mechanism.
