A critical vulnerability in the ubiquitous Microsoft Outlook/365 applications suite is being actively abused in the wild and requires immediate patching.
CVE-2023-23397, a CVSS 9.8 bug, lets a remote and unauthenticated attacker breach systems merely by sending a specially crafted email that allows them steal the recipient’s credentials.
The victim doesn’t even need to open the malicious email; as Microsoft notes in its own guidance for the Microsoft 365 vulnerability: “The email triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation before the email is viewed in the Preview Pane”.
As of a 16/03 update, the critical Outlook exploit affects both 32 and 64-bit versions of Microsoft 365 Apps for Enterprise. Office 2013, 2016, and 2019. It is triggered by sending a malicious email that lets attackers capture the Net-NTLMv2 hash (challenge response protocols used for authentication in Windows environments) of the recipient and thereby authenticate as the victim. Thus, it is categorized as a critical escalation of privilege vulnerability via NTLM credential theft. IoCs are expected to be published.
Possible mitigation solutions:
- Disable the WebClient service running on their organizations machines, similar to our recommendation of blocking TCP/445 traffic. *Caution*: This will block all WebDAV connections including intranet which may impact your users or applications.
- Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM. Consider using it for high value accounts such as Domain Admins when possible. *Caution*: This may cause impact to applications that require NTLM, however the settings will revert once the user is removed from the Protected Users Group.
- Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.
- Run the detection script, CVE-2023-23397.ps1, which checks Exchange messaging items (mail, calendar and tasks) to see whether a property is populated with a UNC path. If required, admins can use this script to clean up the property for items that are malicious or even delete the items permanently
References:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397 https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/?ref=cisco-talos-blog
- https://blog.talosintelligence.com/outlook-privilege-escalation-vulnerability-cve-2023-23397/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23397 https://www.cyber.gc.ca/en/alerts-advisories/microsoft-outlook-zero-day-vulnerability-allowing-ntlm-credential-theft
- Urgent: Microsoft 365 Apps being exploited in wild through CVSS 9.8 bug