Microsoft recently patched a zero-day vulnerability under active exploit in Microsoft Outlook, identified as CVE-2023-23397, which could enable an attacker to perform a privilege escalation, accessing the victim’s Net-NTLMv2 challenge-response authentication hash and impersonating the user.
Now it’s becoming clear that CVE-2023-23397 is dangerous enough to become the most far-reaching bug of the year, security researchers are warning. Since disclosure just three days ago, more proof-of-concept (PoC) exploits have sprung onto the scene, which are sure to translate into snowballing criminal interest — helped along by the fact that no user interaction is required for exploitation.
If patching isn’t possible quickly, there are some options for addressing the issue, noted below.
Easy Exploit: No User Interaction Necessary
The vulnerability allows the attackers to steal NTLM authentication hashes by sending malicious Outlook notes or tasks to the victim. These trigger the exploit automatically when they’re retrieved and processed by the Outlook client, which could lead to exploitation before the email is viewed in the Preview Pane. In other words, a target doesn’t actually have to open the email to fall victim to an attack.
Discovered by researchers from Ukraine’s Computer Emergency Response Team (CERT) and by one of Microsoft’s own researchers — and patched earlier this week as part of Microsoft’s Patch Tuesday update — the bug affects those running an Exchange server and the Outlook for Windows desktop client. Outlook for Android, iOS, Mac, and Outlook for Web (OWA) are unaffected.
“External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers’ control,” says Mark Stamford, founder and CEO of OccamSec. This will leak the Net-NTLMv2 hash of the victim to the attacker, who can then relay this to another service and authenticate as the victim, he explains.
A Range of Potential Exploit Impacts
Nick Ascoli, founder and CEO of Foretrace, points out while Microsoft didn’t mention how the criminals were using it within their attacks, it allows the reuse of the stolen authentication to connect to other computers over the network for lateral movement.
“The range of possible attacks could go from data exfiltration to potentially installing malware, depending on the permissions of the victim,” he says.
Bud Broomhead, CEO at Viakoo, notes that “the likely victims are ones most susceptible to business email compromise (BEC) and to having their identity used for other forms of exploits.” He points out there are a few areas that this potentially impacts, the most serious being identity management and trust of internal email communications.
“The risks also include breaching of core IT systems, distribution of malware, business email compromise for financial gain, and disruption of business operations and business continuity,” Broomhead cautions.
Is This the “It” Bug of 2023?
Viakoo’s Broomhead says that while at this point in 2023 there could be many possible “It” bugs coming from Microsoft, this is certainly a contender.
“Because it impacts organizations of all types and sizes, has disruptive methods of mitigation, and training employees on it won’t stop it, this could be a vulnerability that requires more significant effort to mitigate and remediate,” he explains.
He notes the attack surface is at least as big as the user base of desktop Outlook (massive), and potentially core IT systems connected to Windows 365 (very massive), and even any recipients of emails sent through Outlook (pretty much everyone).
Then as mentioned, the PoCs that are circulating makes the situation even more attractive to cybercriminals.
“Since the vulnerability is public and instructions for a proof-of-concept are well documented now, other threat actors may adopt the vulnerability in malware campaigns and target a more widespread audience,” adds Daniel Hofmann, CEO of Hornetsecurity. “Overall, exploiting the vulnerability is simple, and public proofs-of-concept can already be found on GitHub and other open forums.”
What should businesses do? They may have to look beyond patching, Broomhead warns: “Mitigation in this case is difficult, as it causes disruption in how emails systems and users within it are configured.”
How to Protect Against CVE-2023-23397
For those unable to patch right away, Hornetsecurity’s Hofmann says that to better protect the organization, administrators should block TCP 445/SMB outbound traffic to the Internet from the network using perimeter firewalls, local firewalls, and VPN settings.
“This action prevents the transmission of NTLM authentication messages to remote file shares, helping to address CVE-2023-23397,” he explains.
Organizations should also add users to the “Protected Users Security Group” in Active Directory to prevent NTLM as an authentication mechanism.
“This approach simplifies troubleshooting compared to other methods of disabling NTLM,” Broomhead says. “It is particularly useful for high-value accounts, such as domain administrators.”
He points out Microsoft has provided a script to identify and clean up or remove Exchange messages with UNC paths in message properties, and it advises administrators to apply the script to determine if they have been affected by the vulnerability and to remediate it.
