Written by Lina Jiménez Becerra, Anton Jörgensson and Mark Stueck of the Kudelski Security Threat Detection & Research Team
CVE-2023-23397: Ability to exploit an Elevation of Privileges by Microsoft Outlook processing a specially crafted incoming email
Update – March 16th – 0930 CET
Microsoft updated their recommendations to reduce the risk of WebDAV based attacks, adding the following:
- Disable the WebClient service running on your organisation’s machines. This will block all WebDAV connections, including intranet, which might impact some users or applications.
CVE-2023-23397 is an actively exploited zero-day vulnerability affecting Microsoft Outlook that was reported in Microsoft March 2023 Patch Tuesday. Using NTLM Relay attack techniques, an external attacker could prepare a crafted email that once retrieved and processed by victim’s Outlook client, generates a connection from the victim to an external location of the attackers’ control. And by doing it, the attacker can know the required Net-NTLMv2 victim’s hash to authenticate as the victim against another service.
Publicly available information sources mention that the vulnerability is known to have been actively exploited in-between April and December 2022 by APT28, a Threat Actor known to be linked to Russia’s intelligence services, to target the network of government, military, energy, and transportation organisations.
At the time of this writing, no specific details are available regarding successful exploitation of CVE-2023-23397. Nevertheless, Microsoft has published a script to audit an Exchange server and identify mail items that could be used for exploitation.
Affected Systems and/or Applications
The vulnerability affects different versions of Microsoft Outlook for both, 32- and 64-bit editions. Most specifically as is show below:
- Microsoft Outlook 2016 (64-bit edition)
- Microsoft Outlook 2013 Service Pack 1 (32-bit editions)
- Microsoft Outlook 2013 RT Service Pack 1
- Microsoft Outlook 2013 Service Pack 1 (64-bit editions)
- Microsoft Office 2019 for 32-bit editions
- Microsoft Office 2019 for 64-bit editions
- Microsoft 365 Apps for Enterprise for 64-bit Systems
- Microsoft Office LTSC 2021 for 64-bit editions
- Microsoft Outlook 2016 (32-bit edition)
- Microsoft Office LTSC 2021 for 32-bit editions
Technical Details / Attack Overview
Information provided by Microsoft indicates NTLM Relay Attacks can be used to exploit this vulnerability, which allows a threat actor to position themselves between a server and client to intercept authentication communications.
Nevertheless, further details on how a threat actor could establish the required positioning for the NTML Relay Attack through exploitation, is still under investigation.
Analysis of a PowerShell script provided by Microsoft suggest that the attack may abuse specific properties found within Exchange messages, specifically “PidLidReminderFileParameter” and “PidLidReminderOverride“. The former controls what filename should be played by the Outlook client when the reminder for the mail item is triggered. The latter specifies whether the client should respect the values of the “dispidReminderPlaySound” (PidLidReminderPlaySound) and “dispidReminderFileParam” (PidLidReminderFileParameter) properties. Then, as the PidLidReminderFileParameter accepts a filename as a parameter the attacker can leverage it to specify a UNC path to trigger the NTLM authentication with in “PidLidReminderOverride“.
Threat Actor Post Exploitation Activity
Successful execution of a NTLM Relay Attack, and in particular the technique known to be associated with CVE-2023-23397, would allow a threat actor to gain unauthorized access to corporate resources. Depending on the impacted host, this could include local authentication to Windows systems and Windows passwords stored on Active Directory Domain Controllers.
With local access to a compromised system, attack progression can vary based on Group Policy Configurations and security settings. Possibilities include, but are not limited to:
- Local account creation
- Machine account creation
- Lateral movement
- Data exfiltration
- Establishing persistence mechanisms
- Introducing malicious tools into an environment
- Remote Code Execution (RCE)
- Offline password cracking attacks
Kudelski Security strongly recommends patching Outlook clients impacted by CVE-2023-23397 as soon as possible. Released as part of Patch Tuesday, please refer to Microsoft update guidance for the appropriate security update: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
Temporary workarounds and mitigations
In addition to executing the provided script to verify Exchange messaging items, Microsoft has recommended the below actions to mitigate this vulnerability:
- Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM. Consider using it for high value accounts such as Domain Admins when possible.
- Please note: This may cause impact to applications that require NTLM, however the settings will revert once the user is removed from the Protected Users Group. Please see “Protected Users Security Group” for more information.
- Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.
Kudelski Security recommends using the following PowerShell script recently published by Microsoft to check the affected Exchange servers and identify any potential indicators of attack, such as malicious e-mail sends that exploit this vulnerability:
According to Microsoft, the script’s Audit Mode assesses if items within Exchange, such as mail, tasks, or calendar appointments, have a property designated a Universal Naming Convention (UNC) path. For example, “\\host-name\share-name\file_path”
The PowerShell script also includes a Cleanup Mode, which will delete any messages that contain suspicious UNC property
What the Cyber Fusion Center is doing
The CFC is monitoring how this zero-day critical vulnerability evolves. And on top of that, the CFC normally recommends security best practices such as below:
- Block outbound SMB traffic. By blocking outbound network connections on port 445. In the context of the vulnerability, this would help to prevent NTLM passwords to be sent to an externally owned adversary infrastructure.
- Deploy the provided CFC detection [perimeter firewall for allowed outbound connections on port 445] on MDR customers.
- Add users to the AD Protected Users group to protect attributed users of NTLM authentication. In case this measure generates legitimate NTLM authentication, users can be removed from the group. In this case it can be a temporary measure.
It’s highly recommended to follow these.
Lastly, the CFC will update this article accordingly as new information and technical details emerge for CVE-2023-23397.