Threat Advisory: Microsoft CVE-2023-23397
What is it?
Microsoft’s monthly Patch Tuesday release on March 14, revealed a critical, actively exploited vulnerability. This vulnerability specifically impacts Microsoft Office, and in particular, Outlook. CVE-2023-23997 is a concerning vulnerability because it doesn’t require any previous access or user interaction to be exploited.
For tracking purposes, the vulnerability has been labeled CVE-2023-23397, and named Microsoft Outlook Elevation of Privilege. With a CVSS score of 9.8 out of 10, CVE-2023-23397 is considered to be a critical vulnerability that needs patching as soon as possible.
How does it work?
An attacker simply delivers a specially crafted email with a PidLidReminderFileParameter extended Messaging Application Programming Interface (MAPI) property. This property can be modified to indicate an external UNC (Universal Naming Convention) path to a Server Message Block (SMB) share on a server controlled by the attacker.
Outlook then initiates a connection to the hostile SMB share to perform NTLM negotiation, using the affected user’s password hash. An NTLM Relay attack can be used against the victim. Because Outlook’s process of handling this parameter’s property is automatic, no user interaction is necessary for the attack to succeed.
What’s the impact?
If this vulnerability is exploited, the attackers will have access to the impacted user’s Net-NTLMv2 hash, which can be used for a future NTLM Relay attack. The NTLM Relay attack allows the attackers to authenticate to other services as the impacted user. In other words, attackers are now disguised as users within your organization as they gain access to other systems and services.
Exploiting CVE-2023-23397 is relatively simple and has been proven useful in real-world attacks. Due to its success, we anticipate widespread usage of this exploitation in the immediate future, making patching this vulnerability a critical necessity.
The products below will be impacted:
Microsoft Outlook 2016 (64-bit edition)
Microsoft Outlook 2013 Service Pack 1 (32-bit editions)
Microsoft Outlook 2013 RT Service Pack 1
Microsoft Outlook 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2019 for 32-bit editions
Microsoft 365 Apps for Enterprise for 32-bit Systems
Microsoft Office 2019 for 64-bit editions
Microsoft 365 Apps for Enterprise for 64-bit Systems
Microsoft Office LTSC 2021 for 64-bit editions
Microsoft Outlook 2016 (32-bit edition)
Microsoft Office LTSC 2021 for 32-bit editions
Where have we seen this already?
There are reports of Russian state actors leveraging this vulnerability, and Microsoft has acknowledged that this vulnerability may have been operationalized in Ukraine.
Technical reports of this vulnerability are already available to the public, and while Russian state actors are attributed with current exploitation of the vulnerability, we are certain that other attackers will be attempting to exploit the CVE-2023-23397 vulnerability in the immediate future.
What can you do?
- Perform a business impact analysis, then apply the relevant security patches, provided by Microsoft.
- Temporary alternatives are available from Microsoft if immediate patching is not possible.1
- Add relevant users to the Protected Users group in Active Directory or Azure Active Directory.
- Block TCP port 445 (SMB) outbound via perimeter or local firewall, and via VPN settings.
- Utilize an impact assessment script to audit whether CVE-2023-23397 has been exploited or an exploitation attempt has been made by threat actors.2
Glossary
There are a lot of technical concepts in here - as your technical translators, we’ve defined a few of them for you.
The Common Vulnerability Scoring System (CVSS) rates the severity of software security vulnerabilities via a publicly understood framework. It rates vulnerabilities on a scale of 0-10, with 0 indicates no severity, and 10 indicating critical severity.
Messaging Application Programming Interface (MAPI) is an API specific to Windows that allows users to send and receive messages. In this case, Outlook users use the Exchange server to manage their inbox and download emails.
New Technology LAN Manager (NTLM) consists of Microsoft’s Windows security protocols that authenticate user identities and preserve confidentiality and integrity of user actions.
An NTLM Relay attack is an attack in which attackers take hashed versions of user credentials and reuse them with the goal of authenticating internal servers.
Patch Tuesday refers to the second Tuesday of each month in which Microsoft releases identified vulnerability improvements to increase Windows security.
The PidLidReminderFileParameter is the filename of a sound that should play when a reminder for a subject becomes overdue.
The Server Message Block is a network file-sharing protocol that enables computer applications to read and write files, and request for computer network services.