WARNING: Active exploitation of a 0-Day Elevation of Privilege vulnerability CVE-2023-23397 in Outlook, PATCH IMMEDIATELY!
CVE-2023-23397: 8.6 (Crtical) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Microsoft patched a zero-day in Microsoft Outlook for Windows. An attacker can exploit this vulnerability by sending a malicious email to a user with a vulnerable Outlook client. The vulnerability is automatically triggered when Outlook processes the email. The vulnerability is exploited before the email is viewed in the preview pane.
This vulnerability allows the threat actor to authenticate as the victim to another service.
The attack could be used for lateral movement or email exfiltration.
CVE-2023-23397 is an Elevation of Privilege vulnerability in the Outlook mail client. A threat actor can send a malicious mail that will trigger when the mail is processed by Outlook. The exploit triggers a connection to a malicious server. This action will leak the Net-NTLMv2 hash of the victim to the threat actor. The threat actor can then relay the hash to another service and authenticate as the victim.
The exploit uses a network vector with low complexity, no privileges required, and no user interaction required.
This vulnerabilty has been exploited. At the time of writing there is no known public exploit available.
Microsoft credits CERT-UA, Microsoft Incident Response, Microsoft Threat Intelligence (MSTI) for the discovery of this vulnerability.
Vulnerable software: Microsoft Outlook client for Windows.
remark:The web client, iOS, and Android clients are not affected by this vulnerability.
An official patch is available as part of the March 2023 Microsoft Patch Tuesday update.
If patching is not immediately possible Microsoft recommends to add users to the "Protected Users Security Group" which disables the NTLM authentication mechanism. Additionally Microsoft recommends to block outgoing traffic on port 445 to prevent outgoing NTLM authentication messages.
Monitor / Detect
Microsoft has released a script to see if any users have been targeted by this attack. You can find the script on this Microsoft GitHub page.