Patch critical EvP vulnerability CVE-2023-23397 in Outlook

[German]A critical vulnerability CVE-2023-23397 exists in Microsoft Outlook, which allows third-party privilege exploitation. This vulnerability has been actively exploited by Russian attackers since mid-April 2022. Users and administrators should immediately install the Outlook security updates provided by Microsoft. As part of a patchday recap, I summarize some information in this post.


Outlook vulnerability CVE-2023-23397

I had already pointed out the CVE-2023-23397 vulnerability in Microsoft Outlook, which is classified as critical, in the blog post Microsoft Security Update Summary (March 14, 2023). It is an elevation of privilege (EvP) vulnerability that has received a CVEv3 score of 9.8, which means it is rated extremely critical.

Attackers can send a malicious email to a vulnerable version of Outlook. When the email is read from the server and is processed by the client, a connection can be established to an attacker-controlled device to sniff the email recipient's Net NTLMv2 hash. The attacker can use that hash to authenticate as the victim's recipient in an NTLM relay attack, Microsoft says.

Microsoft notes in its documents that this vulnerability can be exploited before the email is displayed in the preview window. Thus, a successful attack does not require any interaction from the recipient.

Updates and Exchange test script available

Microsoft has released security updates for Outlook 2016 (KB5002254) and Outlook 2013 (KB5002265) dn March 14, 2023 (see Patchday: Microsoft Office Updates (March 14, 2023)). Older Outlook versions that are no longer in support (e.g. Outlook 2010) can thus no longer be patched and can be attacked.

For a list of all Outlook updates as of March 14, 2023, see CVE-2023-23397, which also includes Click-2-Run updates for Outlook 2016, Outlook 2019, and Outlook 2021, as well as Microsoft 365 (Office 365). However, these are distributed via Office/Outlook and not via Windows Update.


An Exchange test script

Microsoft had notified Exchange administrators of the vulnerability on the March 2023 patchday and published a check script (see the blog post Exchange Server Security Updates (March 14, 2023)). The script CVE-2023-23397.ps1 checks all Exchange messaging items (email, calendar, and tasks) to see if a property is populated with a UNC path.

If necessary, administrators can use this script to clean up the property for items that are malicious or even permanently delete the items on Exchange Servers. There are two modes for the script:

  • Audit Mode: The script returns a CSV file with details of the items that have the property populated.
  • Cleanup Mode: The script performs cleanup on detected items by either clearing the property or deleting the item.

Details can be found in this previously linked post. But keep in mind, that deleted mails on Exchange are beeing keept for max. 30 days – so the scan doesn't find older attempts to attack in deleted items.

Note also, that I got some reports about false positives shown from the script within my German blog. Also on GitHub is this entry talking about that.

More details and mitigation

Microsoft provided some details on how to exploit this vulnerability in the post on CVE-2023-23397. According to a separate blog post, an attacker can send a message with an extended MAPI property with a UNC path to an SMB share (TCP 445) on a server controlled by a threat actor. No user interaction is required to then gain elevation of privilege (EoP).

The connection to the remote SMB server sends the user's NTLM negotiation message. The attacker can then forward this to other systems for authentication. On Naked-Security, this post uncovers some details about the LTLM2 data.

What is required is that these systems support NTLM authentication.

Online services like Microsoft 365 do not support NTLM authentication and are not vulnerable to attacks through these messages. The same applies if OWA (Outlook Web App) is used. Other versions of Microsoft Outlook for Android, iOS and Mac, as well as and other Microsoft365 services, are also not affected.

There are some more details about the vulnerability in this MD blog post. For example, the PPidLidReminderOverride property is abused to cause Outlook to parse the malicious UNC in the idLidReminderFile parameter. The security researcher used the findings to create a simple exploit. The author of the paper demonstrates in a video how the exploit forwards an incoming request to LDAP to obtain a shadow credential.

Customers can disable the WebClient service on their machines, or block TCP/445 traffic to prevent exploitation of the vulnerability. However, this is only feasible unless WebDAV connections must be used. Microsoft has made concrete suggestions about this in the post about CVE-2023-23397.

Yara Rule

According to the above tweet, there is a Yara rule that identifies the PidLidReminderFile parameter in an msg Appointment file. Details can be found on GitHub.

Vulnerability is exploited

The discovery of the vulnerability as well as its exploitation was made by Computer Emergency Response Team of Ukraine (CERT-UA) and Microsoft. Microsoft published a blog post about the discovery of this vulnerability on March 14, 2023 – a Russian threat actor is exploiting the vulnerability..

The above tweet points to this article by colleagues at Bleeping Computer. They were able to view information from a threat analysis provided to customers with a subscription to Microsoft 365 Defender, Microsoft Defender for Business or Microsoft Defender for Endpoint Plan 2.

From the analysis, it appears that Russian hacking group Fancy Bear (also known as APT28, STRONTIUM, Sednit and Sofacy) sent crafted Outlook messages (and tasks) to steal the aforementioned NTLM hashes via NTLM negotiation. The attacks exploiting the vulnerability took place around between mid-April and December 2022.

The attackers managed to penetrate the networks of less than 15 government, military, energy and transportation companies. Subsequently, the stolen credentials were used for lateral movements within the victims' networks and to change permissions for Outlook mailbox folders.

Similar articles:
Microsoft Security Update Summary (March 14, 2023)
Patchday: Windows 10-Updates (March 14, 2023)
Patchday: Windows 11/Server 2022-Updates (March 14, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (March 14, 2023)
Patchday: Microsoft Office Updates (March 14, 2023)
Exchange Server Security Updates (March 14, 2023)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Allgemein. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *