[German]Brief addendum to the March 2023 patchday. Microsoft did provide the critical RCE vulnerability CVE-2023-23397 in Outlook with a security update on March 14, 2023. But the patch is incomplete, the attack can still be triggered with somewhat modified emails. And in the meantime, a proof of concept is public, demonstrating how the vulnerability is exploited.
Critical RCE Vulnerability CVE-2023-23397
Microsoft Outlook still has a not fully patched critical vulnerability CVE-2023-23397, that could allow third-party privilege exploitation. This elevation of privilege (EvP) vulnerability is rated as extremely critical, and has received a CVEv3 score of 9.8. The problem: Attackers can send a malicious email to a vulnerable version of Outlook. Once Outlook receives this mail, it can connect (without user intervention) to a device controlled by the attacker.
An attacker can extradict the Net-NTLMv2 hash of the email recipient (see also this article from 2019 with explanations). This hash allows an attacker to authenticate as the recipient of the victim in an NTLM relay attack. This vulnerability has been actively exploited by Russian attackers since mid-April 2022 (see also this post from deep instinct showing cases). It looks like other attackers are also exploiting this vulnerability (see this Palo Alto Networks article).
PoC available, patch your Outlook
On March 22, 2023, a security researcher demonstrated a proof of concept (PoC) for exploiting the vulnerability in a video on Twitter (just click the image below to play the video on Twitter – or access it on the GitHub page) and published the code for it on Github.
Currently you can only read that administrators and users should patch the supported Outlook versions (e.g. Outlook 2013 and 2016). I had pointed out this vulnerability both in the blog post Patch critical EvP vulnerability CVE-2023-23397 in Outlook and in other posts (see link list at the end of the article).
If I'm sorting it right, this is primarily a problem in enterprise environments, where the captured Net-NTLMv2 hash of the email recipient could be abused for lateral movement across IT networks with Microsoft servers.
Vulnerability incompletely patched
Problem with all the patch requests is that Microsoft has not fully closed the attack vector for the RCE vulnerability CVE-2023-23397. Blog reader 1ST1 points this out in this comment (thanks for that). Dominic Chell demonstrates in the following tweet in the embedded video (click image to access the video on Twitter) the continued ability to exploit it.
At this point, administrators are left with the question of what to do now. I refer to the Microsoft post on CVE-2023-23397, where it says at the "Mitigations" section:
- Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM. Consider using it for high value accounts such as Domain Admins when possible. Please note: This may cause impact to applications that require NTLM, however the settings will revert once the user is removed from the Protected Users Group. Please see Protected Users Security Group for more information.
- Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.
So ad-hoc würde ich sagen, dass das Blockieren von ausgehendem TCP 445/SMB-Traffic in einer Firewall oder anderen Lösungen das Problem entschärft. Denn dadurch wird das Senden von NTLM-Authentifizierungsmeldungen an Remote-Dateifreigaben verhindert. The vulnerability can then no longer be exploited in this way. The Microsoft blog post Microsoft Mitigates Outlook Elevation of Privilege Vulnerability gives some more information about affected products (Outlook for Windows in all versions) and the impact for enterprise environments.
Cookies helps to fund this blog: Cookie settings