Critical Vulnerability in Outlook
With its patch Tuesday, Microsoft announced a Microsoft Outlook vulnerability (an RCE — remote code execution) titled “Microsoft Outlook Elevation of Privilege Vulnerability” and classified as CVE-2023–23397.
This vulnerability in Microsoft Outlook is an Elevation-Of-Privilege (EoP) issue.
This implies that when the vulnerability is exploited, attackers can acquire access to victims’ Net-NTLMv2 challenge-response authentication hash and execute privilege escalation. Once stolen, the attacker can impersonate the user.
Background
Microsoft addressed the CVE-2023–23397 issue with its Patch Tuesday release on March 14, 2022. This was first discovered in collaboration with CERT-UA (the Computer Emergency Response Team for Ukraine). According to Microsoft, this vulnerability was utilised in attacks targeting and breaching the networks of less than 15 Russian and EU government, military, energy, and transportation companies between mid-April and December 2022.
Exploit — Modus Operandi
By delivering malicious Outlook notes or tasks to victims, attackers can steal NTLM (New Technology Lan Manager, Windows’ Challenge/Response Authentication method) authentication hashes. The exploit is automatically triggered when the email is retrieved and processed by the Outlook client, which can occur even before the email is displayed in the Preview Pane. As you may be aware, this is not a new exploitation; it has been around for a while and is known as the NTLM Relay Attack.
Is it perilous?
CVE-2023–23397 is not just serious, but it is also the most widespread flaw of the year. Security researchers warn that multiple proof-of-concept attacks have appeared in the three days following the publication. Because they require minimal human engagement to exploit, these attacks are likely to pique the interest of cybercriminals.
Impact
This exploit’s possible consequences vary from data exfiltration to malware installation and corporate email infiltration. Attackers can roam laterally across networks and connect to other systems by reusing stolen authentication.
Recommendation
CVE-2023–23397 has a large attack surface, with at least as many people as the desktop Outlook user base. To best safeguard the company, managers should use perimeter firewalls, local firewalls, and VPN settings to prevent TCP 445/SMB outbound traffic to the Internet from the network. Moreover, companies should add users to Active Directory’s “Protected Users Security Group” to prevent NTLM from being used as an authentication technique.
Extra Assistance
Microsoft is releasing documentation and a detection script at https://microsoft.github.io/CSS-Exchange to help you establish if your company was targeted by individuals attempting to exploit this issue. Administrators can use the script to find vulnerability in their environment.
