Critical Vulnerability in Outlook Requiring Little to No Interaction Patched by Microsoft

Read our latest Enterprise Threat Intelligence Briefing on the Microsoft Outlook Elevation of Privilege Vulnerability, compiled by Kyle Nordby and John Garner.

Vulnerability

CVE-2023-23397 – Microsoft Outlook Elevation of Privilege Vulnerability^[1]

Affected Products

All supported versions of Microsoft Outlook for Windows

Remediation

• March 14^th security patches for Microsoft Outlook^[1]
• Mitigations against Pass-the-Hash attacks^[2]
• Block outbound SMB traffic at the firewall

Detection

• Microsoft PowerShell detection script^[3]
• Suspicious outbound SMB traffic

Microsoft released a patch in February regarding a vulnerability with a CVSS score of 9.8, just shy of the maximum of 10. This low-complexity exploit was found and reported to Microsoft by the Ukrainian Computer Emergency Response Team (CERT).

While the Microsoft Security Response Center (MSRC) page^[1] states that there is no currently released proof-of-concept (POC) code, security researchers have already figured out how to leverage this exploit. For example, in an article by MDSec on the same day as the announcement^[4], a red teamer built a full POC detailing how the exploit works.

This was originally seen being leveraged by Russian threat actors as early as April 2022. With the publicity of the CVE and ease of exploitation, PacketWatch has high confidence that this will be actively exploited in the coming weeks. PacketWatch already monitors for indicators of compromise (IOCs) by checking for suspicious outbound SMB traffic and is currently advising to both patch Outlook and review firewall policies for current clients.

In emails with tasks or calendar events that have due dates, the sender can specify when it becomes overdue, playing a default or custom sound. The exploit itself relies on that property, where the attacker instead replaces the reminder sound with a malicious UNC path^[5]. This triggers the Outlook client to send NTLM hashes over SMB to a destination controlled by the attacker. Once completed, the attacker can then leverage those credentials using an NTLM Relay attack, also known as a Pass-the-Hash attack^[6].

A patch for affected Outlook clients is already available by Microsoft^[1]. Proactively, PacketWatch recommends reviewing what protocols and ports can communicate externally to the environment. Microsoft has also released a detection script that can reveal previous exploitation attempts^[3].

References

• [1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
• [2] https://www.microsoft.com/en-us/download/details.aspx?id=36036
• [3] https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/
• [4] https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
• [5] https://en.wikipedia.org/wiki/Path_(computing)#Universal_Naming_Convention
• [6] https://en.wikipedia.org/wiki/Pass_the_hash