Overview
Microsoft has released a new critical vulnerability, scoring a 9.8 out of a maximum of 10 on the CVSS chart. The vulnerability, CVE-2023-23397, is an Elevation of Privilege (EoP) vulnerability in Microsoft Outlook. It gets triggered by an attacker who sends a message with an extended property with a UNC file path to an SMB (port 445) share on a server controlled by a threat actor. The malicious code steals the NTLM hash, which contains the Windows user’s account password, and uses it to escalate through the account.
Unlike many email-based attacks, this attack’s success does not depend on the recipient’s actions once the malicious email hits their inbox. No action is needed because this specific vulnerability triggers on the email server side. This means the exploit occurs before a victim ever sees the malicious content. In other words, without clicking or even reading the email, the attack will commence.
CVE-2023-23397 affects the 32-bit and 64-bit versions of Microsoft 365 Apps for Enterprise Office 2013, 2016, and 2019. Any Microsoft-hosted online services, such as Microsoft 365, are not vulnerable.
Malicious actors have targeted this vulnerability within government, military, energy, and transportation organizations. But, the reach of these attacks will only increase once threat actors realize how simple it is to target and attack someone using this vulnerability.
Recently, Microsoft released a security update to resolve the issue, which you can find in the first link below.
Recommended Action Items for Affected Microsoft Outlook Users:
- Ensure you have the most up-to-date version of Microsoft running on your device. Microsoft has also recommended that customers disable the WebClient service on their organization’s machines.
- Blocking TCP Port 445/SMB outbound from your network using a perimeter firewall, local firewall, and through a VPN. Doing so prevents the sending of NTLM authentication messages to remote file shares.
Mircosoft’s Patch Tuesday routinely brings unexpected yet pressing news regarding updates and new vulnerabilities. Staying in the loop with these releases will help you stay current on the most recent versions of your applications and prevent your organization from becoming vulnerable to bugs.
Sources
https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-outlook-2016-march-14-2023-kb5002254-a2a882e6-adad-477a-b414-b0d96c4d2ce3 – Microsoft Security Update
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23397 – CVE-2023-23397
https://krebsonsecurity.com/2023/03/microsoft-patch-tuesday-march-2023-edition/
https://www.helpnetsecurity.com/2023/03/14/cve-2023-23397-cve-2023-24880/