Day: March 16, 2023

Categories
Cybersecurity Advisories

Microsoft Outlook Elevation of Privilege Vulnerability (CVE-2023-23397)

CVE-2023-23397 (CVSSv3 Score: 9.8 – Critical) – Microsoft Outlook Elevation of Privilege Vulnerability

This zero-day is a critical privilege escalation vulnerability in Microsoft Outlook that could allow an attacker to access the victim’s Net-NTLMv2 challenge-response authentication hash and then impersonate the user. To achieve this, a threat actor could send a specially crafted email that will cause a connection from the victim to an external UNC location of adversarial control. The victim’s Net-NTLMv2 hash will be leaked to the attacker who can then relay this to another service and authenticate as the victim. What makes this dangerous is that the flaw will be triggered before the email is viewed in the Preview Pane, no user interaction is required.

Microsoft says that this vulnerability was exploited by STRONTIUM, which is a state-sponsored Russian hacking group. Between mid-April and December 2022, CVE-2023-23397 was exploited in attacks to target and breach the networks of fewer than 15 government, military, energy, and transportation organizations.

Affected Products

CVE-2023-23397 affects all supported versions of Microsoft Outlook for Windows. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected.

Mitigations

  • Customers can disable the WebClient service running on their organization’s machines.
    • This will block all WebDAV connections including intranet which may impact users or applications.
  • Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM. Consider using it for high value accounts such as Domain Admins when possible. Please note: This may cause impact to applications that require NTLM, however the settings will revert once the user is removed from the Protected Users Group.
  • Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.
    • This process is claimed to be insufficient due to the vulnerability’s ability to be exploited on any port if WebClient is running.

Additional Information

  • Microsoft recommends all customers (on-premises, hybrid or online) to install Outlook updates.
  • Exchange March SU does not address CVE-2023-23397, you need to install Outlook updates to address this vulnerability in Outlook.

Detection

Microsoft has released a PowerShell script to help admins validate if any users in their Exchange environment have been targeted using this Outlook vulnerability. The script checks Exchange messaging items to see whether a property is populated with a UNC path. Admins could also use this script to clean up the property for items that are malicious or even delete the items permanently.

POC Available

Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability

MITRE Summary

Tactic

Technique ID

Technique Name

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Credential Access

T1187

T1212

Forced Authentication

Exploitation for Credential Access

Defense Evasion

Lateral Movement

T1550.002

Pass the Hash

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this CVE. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.

As always, if we detect activity related to these exploits, we will alert you if warranted.

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.  

 

Microsoft Customer Guidance

Resources & Related Articles