With Microsoft’s Patch Tuesday for March 2023 Microsoft Addresses a Critical outlook exploited with CVSS 9.8 pre-auth RCE bug.
How Attackers Exploit This Vulnerability on vulnerable version of Outlook
Attackers can exploit CVE-2023-23397 by sending specially crafted email to vulnerable version of Outlook, that force a connection from the victim’s device to an external UNC location under the attackers’ control. This leaks the victim’s Net-NTLMv2 hash to the attacker, who can then relay it to another service and authenticate it as the victim.
The victim doesn’t even need to open the malicious email: As Microsoft notes in its own guidance for the Microsoft 365 vulnerability: “[IT’S] triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane.”
Impacted Products :
All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected.
Recommended Steps :
First of all , install the Last Patches from microsoft (it always recommended to test it before on non prod environment )
Additionally Microsoft published a script that can be used to determine whether or not your organization has been targeted by this vulnerability.
The following mitigating factors may be helpful in your situation:
- Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM. Consider using it for high value accounts such as Domain Admins when possible. Please note: This may cause impact to applications that require NTLM, however the settings will revert once the user is removed from the Protected Users Group. Please see Protected Users Security Group for more information.
- Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.
Microsoft as post blog on this issue :
There is a POC that was publish for this Vulnerability by MDSec:
Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability – MDSec
SHMUEL H.