CVE-2024-30104 Overview
CVE-2024-30104 is a Remote Code Execution vulnerability affecting Microsoft Office products. This security flaw allows attackers to execute arbitrary code on vulnerable systems when a user opens a specially crafted document. The vulnerability is classified under CWE-59 (Improper Link Resolution Before File Access), indicating it involves symlink or link following issues that can be exploited to achieve code execution.
Critical Impact
Successful exploitation allows attackers to execute arbitrary code with the privileges of the current user, potentially leading to complete system compromise, data theft, or lateral movement within enterprise networks.
Affected Products
- Microsoft 365 Apps for Enterprise (x64 and x86)
- Microsoft Office 2016 (x64 and x86)
- Microsoft Office 2019 (x64 and x86)
- Microsoft Office 2021 LTSC (x64 and x86)
Discovery Timeline
- June 11, 2024 - CVE-2024-30104 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2024-30104
Vulnerability Analysis
This Remote Code Execution vulnerability in Microsoft Office stems from improper link resolution before file access (CWE-59). The flaw exists in how Office applications handle file operations involving symbolic links or path references. When a user opens a malicious document, the vulnerability can be triggered through carefully crafted link references that redirect file operations to attacker-controlled locations.
The attack requires local access and user interaction—specifically, the victim must open a malicious document. Once triggered, the vulnerability allows the attacker to execute code with the same privilege level as the logged-in user. In enterprise environments where users have administrative privileges, this could result in complete system compromise.
Root Cause
The root cause of CVE-2024-30104 lies in improper handling of symbolic links and file path resolution within Microsoft Office components. The application fails to properly validate or sanitize file paths before following symbolic links, allowing an attacker to redirect file operations to arbitrary locations. This can be exploited to overwrite critical files or execute malicious payloads when the Office application processes the crafted document.
Attack Vector
The attack requires the adversary to deliver a specially crafted Office document to the target user. This could be accomplished through phishing emails, malicious downloads, or compromised file shares. The exploitation is local in nature, meaning the attacker needs to convince the user to open the malicious file on their system.
Once the document is opened, the embedded malicious payload exploits the improper link resolution vulnerability to redirect file operations. This can lead to arbitrary code execution in the context of the user's session, potentially allowing the attacker to install malware, exfiltrate sensitive data, or establish persistence on the compromised system.
Detection Methods for CVE-2024-30104
Indicators of Compromise
- Unusual Office process behavior including spawning unexpected child processes such as cmd.exe, powershell.exe, or wscript.exe
- Office applications accessing files outside normal working directories through symbolic link traversal
- Presence of suspicious .lnk files or symbolic links in temporary directories associated with Office documents
- Unexpected network connections initiated by Office processes after document opening
Detection Strategies
- Monitor for Office applications creating or following symbolic links in unexpected directories
- Deploy endpoint detection rules to alert on Office processes spawning shell interpreters or script engines
- Implement file integrity monitoring on critical system directories to detect unauthorized modifications
- Analyze document metadata and embedded objects for suspicious link references before allowing user access
Monitoring Recommendations
- Enable enhanced logging for Microsoft Office applications and Windows file system operations
- Configure SIEM rules to correlate Office document opening events with subsequent suspicious process creation
- Monitor for unusual file access patterns by Office processes, particularly those involving path traversal
- Implement behavioral analytics to detect anomalous Office application activity indicative of exploitation attempts
How to Mitigate CVE-2024-30104
Immediate Actions Required
- Apply the latest Microsoft security updates for all affected Office products immediately
- Educate users about the risks of opening documents from untrusted sources
- Consider implementing application whitelisting to prevent unauthorized code execution
- Enable Microsoft Defender Attack Surface Reduction (ASR) rules for Office applications
Patch Information
Microsoft has released security patches addressing this vulnerability. Organizations should obtain the latest updates through Windows Update, Microsoft Update Catalog, or enterprise deployment tools such as WSUS or Microsoft Endpoint Configuration Manager. Refer to the Microsoft Security Update Guide for detailed patch information and deployment guidance.
Workarounds
- Restrict users from opening Office documents from untrusted sources until patches are applied
- Enable Protected View for all Office documents by default to sandbox potentially malicious content
- Block Office applications from creating child processes using Microsoft Defender ASR rules
- Implement network segmentation to limit the impact of potential compromises
# Enable Protected View via Group Policy Registry Settings
# Block files from the Internet zone
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableInternetFilesInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" /v DisableInternetFilesInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView" /v DisableInternetFilesInPV /t REG_DWORD /d 0 /f
# Enable file validation
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\FileValidation" /v EnableOnLoad /t REG_DWORD /d 1 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
