Other official information and services: www.belgium.be

WARNING: Active exploitation of a 0-Day Elevation of Privilege vulnerability CVE-2023-23397 in Outlook, PATCH IMMEDIATELY!

Reference:

Advisory #2023-30

Version:

1.0

Affected software:

Microsoft Outlook 2013 Service Pack 1 (32-bit editions)

Microsoft Outlook 2013 RT Service Pack 1

Microsoft Outlook 2013 Service Pack 1 (64-bit editions)

Microsoft Office 2019 for 32-bit editions

Microsoft 365 Apps for Enterprise for 32-bit Systems

Microsoft Office LTSC 2021 for 64-bit editions

Microsoft Outlook 2016 (32-bit edition)

Microsoft Outlook 2016 (64-bit edition)

Microsoft Office LTSC 2021 for 32-bit editions

Type:

Elevation of Privilege

CVE/CVSS:

CVE-2023-23397: 8.6 (Crtical) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Date:

15/03/2023

Sources

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23397

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2023-exchange-server-security-updates/ba-p/3764224

Risks

Microsoft patched a zero-day in Microsoft Outlook for Windows. An attacker can exploit this vulnerability by sending a malicious email to a user with a vulnerable Outlook client. The vulnerability is automatically triggered when Outlook processes the email. The vulnerability is exploited before the email is viewed in the preview pane.

This vulnerability allows the threat actor to authenticate as the victim to another service.

The attack could be used for lateral movement or email exfiltration.

Description

CVE-2023-23397 is an Elevation of Privilege vulnerability in the Outlook mail client. A threat actor can send a malicious mail that will trigger when the mail is processed by Outlook. The exploit triggers a connection to a malicious server. This action will leak the Net-NTLMv2 hash of the victim to the threat actor. The threat actor can then relay the hash to another service and authenticate as the victim.

The exploit uses a network vector with low complexity, no privileges required, and no user interaction required.

This vulnerabilty has been exploited. At the time of writing there is no known public exploit available.

Microsoft credits CERT-UA, Microsoft Incident Response, Microsoft Threat Intelligence (MSTI) for the discovery of this vulnerability.

Recommended Actions

Scope

Vulnerable software: Microsoft Outlook client for Windows.

remark:The web client, iOS, and Android clients are not affected by this vulnerability.

Patch

An official patch is available as part of the March 2023 Microsoft Patch Tuesday update.

Mitigation

If patching is not immediately possible Microsoft recommends to add users to the "Protected Users Security Group" which disables the NTLM authentication mechanism. Additionally Microsoft recommends to block outgoing traffic on port 445 to prevent outgoing NTLM authentication messages.

Monitor / Detect

Microsoft has released a script to see if any users have been targeted by this attack. You can find the script on this Microsoft GitHub page.

References

https://www.tenable.com/blog/microsofts-march-2023-patch-tuesday-addresses-76-cves-cve-2023-23397

https://nvd.nist.gov/vuln/detail/CVE-2023-23397

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-outlook-zero-day-used-by-russian-hackers-since-april-2022/