Last week, Microsoft Threat Intelligence discovered a critical elevation of privilege (EoP) vulnerability in Microsoft Outlook that allows for New Technology LAN Manager (NTLM) credentials to be stolen. Threat actors can potentially authenticate, escalate privileges, and gain access to the victim’s Windows environments. Barracuda SOC recommends installing the latest Outlook security update and performing Microsoft’s impact assessment.
What is the threat?
CVE-2023-23397 is a critical EoP vulnerability that exists within Microsoft Outlook. This occurs when the threat actor sends a message with an extended Messaging Application Programming Interface (MAPI) property with a Server Message Block (SMB) share path on a malicious server. User interaction with the message is not required. This connection to the threat actor’s remote server then exposes the NTLM credentials of the victim. It is then used by the threat actor to authenticate into the victim’s systems that use NTLM authentication, leading to privileges being escalated. All supported versions of Microsoft Outlook for Windows are impacted by CVE-2023-23397.
Why is it noteworthy?
Microsoft Outlook is an email client used by businesses globally to send and receive emails. CVE-2023-23397 received a Common Vulnerability Scoring System (CVSS) critical base score of a 9.8 out of 10 according to NIST’s National Vulnerability Database. All supported versions of Microsoft Outlook for Windows specifically are impacted. This vulnerability is especially dangerous since user interaction is not required and the victim is affected the moment the email reaches their inbox. Businesses utilizing Microsoft Outlook on the Windows operating system are directly affected by this EoP vulnerability and should be assessed carefully.
What is the exposure or risk?
Elevation of privilege vulnerabilities are deemed critical since this can lead to full access to all systems in a victim’s environment. For this vulnerability, it leads to the exposure of sensitive credentials allowing threat actors to relay them back into the victim’s Outlook environment. Due to the nature of Microsoft Outlook, personal and confidential data within these environments are at risk of being exposed when this vulnerability is exploited. Microsoft has recently provided mitigation efforts against CVE-2023-23397.
What are the recommendations?
Barracuda SOC recommends the following actions to limit the impact of this Microsoft Outlook vulnerability:
- Immediately install the Outlook security update, regardless of where your mail is hosted.
- Perform Microsoft’s Impact Assessment (documentation and script provided at: https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/
- Block TCP 445/SMB outbound from your network to prevent the sending of NTLM authentication messages to remote file shares.
- Add users to the Protected Users Security Group on Outlook to prevent the use of NTLM authentication.
References
For more in-depth information about the recommendations, please visit the following links:
- https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
- https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
- https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-outlook-2016-march-14-2023-kb5002254-a2a882e6-adad-477a-b414-b0d96c4d2ce3
- https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23397
- https://nvd.nist.gov/vuln/detail/CVE-2023-23397
If you have any questions, please contact our Security Operations Center.