Threat Research

Patch Your Microsoft Outlook: Fortinet Discovered Four Outlook Remote Code Execution Vulnerabilities

By Yonghui Han | November 13, 2018

FortiGuard Labs Breaking Threat Research

 

This Patch Tuesday, November 13, 2018, Microsoft patched six vulnerabilities discovered in Microsoft Outlook. Four of them were discovered and reported on by Fortinet researcher Yonghui Han by following Fortinet’s responsible disclosure process. The CVE numbers assigned to them are CVE-2018-8522, CVE-2018-8524, CVE-2018-8576 and CVE-2018-8582. All Microsoft Outlook versions from 2010 to 2019 are affected. All of four of these vulnerabilities could lead to remote code execution and have been given an Important rating by Microsoft. In this post we will provide more details on these vulnerabilities:

 

Vulnerabilities

·      CVE-2018-8522

CVE-2018-8522 is a remote code execution vulnerability in Microsoft Outlook resulting from the failure to properly handle objects in memory. When parsing a malformed RWZ file, an incorrect pointer dereferences results in memory corruption that eventually can lead to a remote code execution scenario. The vulnerability exists in the function OLMAPI32.dll!ScRelocProps.

User interaction is required to exploit this vulnerability, wherein the victim must import a malformed Outlook Rules (.RWZ) file. An attacker who successfully exploits this vulnerability could execute arbitrary code on installations of vulnerable Microsoft Outlook version in the security context of the current user.

·      CVE-2018-8524

CVE-2018-8524 is a remote code execution vulnerability in Microsoft Outlook due to its failure to properly handle objects in memory. When parsing a malformed RWZ file, an incorrect heap address free results in a heap corruption that eventually can lead to a remote code execution scenario. The vulnerability exists in the function OLMAPI32.dll!MAPIFreeBuffer, which is called by the function OLMAPI32.dll!FreePadrlist.

User interaction is required to exploit this vulnerability where the victim must import a malformed Outlook Rules (.RWZ) file. An attacker who successfully exploits this vulnerability could execute arbitrary code on installations of vulnerable Microsoft Outlook version in the security context of the current user.

·      CVE-2018-8576

CVE-2018-8576 is a remote code execution vulnerability in Microsoft Outlook resulting from the failing to properly handle objects in memory. When parsing a malformed RWZ file, a buffer overflow is triggered due to insufficient sanitization of the value of the length parameter of the memcpy function that can eventually lead to a remote code execution scenario. The vulnerability exists in an unnamed function in OLMAPI32.dll, which is called by the function OLMAPI32.dll!HrConvertADRLIST.

User interaction is required to exploit this vulnerability such that the victim must import a malformed Outlook Rules (.RWZ) file. An attacker who successfully exploits this vulnerability could execute arbitrary code on installations of vulnerable Microsoft Outlook version in the security context of the current user.

·      CVE-2018-8582

CVE-2018-8582 is a remote code execution vulnerability in Microsoft Outlook resulting from the failure to properly handle objects in memory. When parsing a malformed RWZ file, the stack is corrupted because of the insufficient sanitization of the function's parameters, which in specific circumstances can lead to a remote code execution scenario. The vulnerability exists in an unnamed function in OUTLOOK.exe.

User interaction is required to exploit this vulnerability such that the victim must import a malformed Outlook Rules (.RWZ) file. An attacker who successfully exploits this vulnerability could execute arbitrary code on installations of vulnerable Microsoft Outlook version in the security context of the current user.

 

Attack Scenario

To exploit any of the above vulnerabilities, a user must open a specially crafted RWZ file with a vulnerable version of Microsoft Outlook. In an email attack scenario, an attacker could exploit these vulnerabilities by sending a specially crafted file to the user and then convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit these vulnerabilities.

 

Solution

All users of vulnerable versions of Microsoft Outlook should upgrade to the latest version immediately. Additionally, organizations that have deployed Fortinet IPS solutions were already protected from these vulnerabilities with the following signatures before the Microsoft patches were made available:

FG-VD-18-134_Microsoft.0day     (for CVE-2018-8522)

FG-VD-18-131_Microsoft.0day     (for CVE-2018-8524)

FG-VD-18-130_Microsoft.0day     (for CVE-2018-8576)

FG-VD-18-138_Microsoft.0day     (for CVE-2018-8582)

 

Sign up for our weekly FortiGuard Threat Brief.

Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.