Microsoft recently patched an active zero-day vulnerability in Microsoft Outlook, identified as CVE-2023-23397, that could allow an attacker to perform elevation of privilege, access a victim’s Net-NTLMv2 challenge-response authentication hash, and personalize the user.
It is now clear that CVE-2023-23397 is dangerous enough to become the most remote bug of the year, security researchers warn. Since the discovery just three days ago, more proof-of-concept (PoC) exploits have appeared on the scene that are sure to snowball into criminal interest, helped by the fact that no user interaction is required for exploitation.
If a quick fix isn’t possible, there are some workaround options listed below.
Easy operation. No user interaction required
The vulnerability allows attackers to steal NTLM authentication hashes by sending malicious Outlook notes or tasks to the victim. These automatically trigger the exploit when they are retrieved and processed by the Outlook client, which can lead to the exploit before the email is viewed in the preview pane. In other words, the target doesn’t actually have to open the email to fall victim to the attack.
Discovered by researchers from the Ukrainian Computer Emergency Response Team (CERT) and one of Microsoft’s own researchers, and patched earlier this week as part of Microsoft’s Patch Tuesday update, the bug affects those running Exchange Server and Outlook for With the Windows desktop client. Outlook for Android, iOS, Mac, and Outlook for Web (OWA) are not affected.
“External attackers can send specially crafted emails. emails that would lead to a connection from the victim to an external UNC location of the attackers’ control,” said OccamSec Founder and CEO Mark Stamford. This will reveal the victim’s Net-NTLMv2 hash to an attacker, who can pass it to another service and identify it as the victim, he explains.
A range of potential operational impacts
Nick Ascoli, founder and CEO of Foretrace, notes that while Microsoft hasn’t specified how criminals are using it in their attacks, it allows you to reuse stolen credentials to connect to other computers over the network, laterally. for movement.
“Potential attacks can range from exfiltrating data to potentially installing malware, depending on the victim’s permissions,” he says.
Bud Broomhead, CEO of Viakoo, notes that “the potential victims are those who are most susceptible to business email. He notes that there are several areas that this could affect, the most serious of which are identity management and the trust of internal email communications.
“Risks also include breaching key IT systems, spreading malware, compromising business email for financial gain and disrupting business operations and business continuity,” warns Broomhead.
Is this the “It” bug of 2023?
Viakoo’s Broomhead says that while there may be many possible “It” bugs coming from Microsoft right now in 2023, this is certainly a contender.
“Because it affects organizations of all types and sizes, has disruptive mitigation methods, and employee training on it won’t stop it, this may be a vulnerability that requires more effort to mitigate and eliminate,” he explains.
He notes that the attack surface is at least as large as the desktop Outlook user base (massive), and potentially major IT systems connected to Windows 365 (very massive), and even any emails sent through Outlook addressee (almost everyone).
Then, as mentioned, PoCs being circulated make the situation more attractive to cyber criminals.
“Because the vulnerability is public and the proof-of-concept instructions are well documented, other threat actors can adopt the vulnerability in malware campaigns and target a wider audience,” adds Daniel Hoffman, CEO of Hornetsecurity. “In general, exploitation of the vulnerability is straightforward, and public proofs of concept can already be found on GitHub and other open forums.”
What should businesses do? They may have to look beyond the patch, warns Broomhead. “Mitigation in this case is difficult because it disrupts the configuration of email systems and the users within them.”
How to protect against CVE-2023-23397
For those unable to patch immediately, Hornetsecurity’s Hoffman says to better protect the organization, administrators should block TCP 445/SMB outbound traffic to the Internet using perimeter firewalls, local firewalls, and VPN settings.
“This action prevents NTLM authentication messages from being forwarded to remote file shares, helping to address CVE-2023-23397,” he explains.
Organizations should also add users to Active Directory’s “Protected Users security group” to prevent NTLM as an authentication mechanism.
“This approach makes it easier to troubleshoot compared to other methods of disabling NTLM,” says Broomhead. “It’s especially useful for high-value accounts like domain administrators.”
He notes that Microsoft has provided a script to identify and clean or remove Exchange messages with UNC paths in message properties, and it recommends that administrators use the script to determine if they are affected by the vulnerability and fix it.