Patch Tuesday Blog | Critical Patches

Microsoft Office Critical Update – CVE-2023-23397

By Raunak Desai

Issue Summary

On March 14th, 2023, Microsoft released an update for Outlook with a criticality of 9.8 out of a maximum of 10. This score indicates that the vulnerability is critical and has the potential to be exploited remotely. This means that the vulnerability can cause complete compromise of the system or application with no direct user interaction. The CVE that is being exploited is CVE-2023-23397.

Microsoft confirmed the magnitude of risk that this vulnerability possesses. It needs immediate attention as the exploit is triggered upon receipt of a malicious email. The attacker can exploit this vulnerability by sending a specifically crafted email that triggers the vulnerability automatically when it is retrieved and processed by the Outlook client. This means that the attacker can gain access to the victim’s environment before the email is even viewed by the recipient user.

Impacted Products

All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook, such as Android, iOS, and Mac Online services’ Microsoft 365 applications, do not support NTLM authentication and are not vulnerable to being affected.

CVE-2023-23397 – Security Update Guide – Microsoft – Microsoft Outlook Elevation of Privilege Vulnerability

How can an attacker exploit this vulnerability?

This vulnerability will provide the attacker access to the victim’s Net-NTLMv2 hash, which they can use to authenticate as the victim on other services. According to Microsoft, to exploit CVE-2023-23397, a message with an extended MAPI property and a UNC path to an SMB (TCP 445) share on a threat actor-controlled server is what an attacker has to send in order to exploit CVE-2023-23397 and collect NTLM hashes. These hacked NTLM hashes can subsequently be utilised in NTLM relay attacks to gain access to corporate networks on a deeper level.

Note: CVE- 2023-23397 is a critical EoP (Escalation of Privilege) vulnerability in Microsoft Outlook.

What is Net-NTLMv2 hash?

Windows New technology LAN Manager (NTLM) is a type of password hash, or hashed login credentials, used by Windows environments for user authentication. In addition to that, it also supports mutual authentication: during the authentication process, both the client and the server confirm each other’s identities for an extra layer of security.

Impact evaluation

Microsoft is offering documentation and a script at CVE-2023-23397 script – Microsoft – CSS-Exchange to help users discover if attackers are attempting to exploit this vulnerability within their virtual environments.

Once this script is run, it is imperative that the output is assessed for potential risk. If a user finds tasks, emails, or calendar items that they cannot positively identify, the items should be immediately reviewed for malicious intent. Per Microsoft’s report, “If objects are detected, they should be removed. If no objects are detected, it is unlikely the organization was targeted via CVE-2023-23397.”

Sources:

Microsoft Mitigates Outlook Elevation of Privilege Vulnerability | MSRC Blog | Microsoft Security Response Center

Client Remediation

Microsoft has published an update to address the issue for the following versions of Outlook:-

Manually Invoke an Office Update Check

Admins can force the Office client to perform an update using the following command, which can be deployed as a script or Proactive Remediation from Intune

"C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe" /update user displaylevel=false forceappshutdown=false

Raunak Desai

Raunak has been using Intune and SCCM since the beginning of his career, is fond of cloud tech, and is eager to learn new technology. Working as a Customer Engineer with Patch My PC, his versatile technical skillset includes handling complex data, technical issues and personnel support tasks in distributed environments. He is also a fantastic cricketer who led a squad for nearly two years in college.

Raunak also writes for the Patch My PC Blog.

Tech Blog

How to use PowerShell to install Windows updates & ensure long-term compliance

In this post I will walk you through how to install Windows updates and report on patch compliance using Windows PowerShell. We will be using:...

Mastering ConfigMgr Client Actions

In this blog post, we’ll take a deep dive into the various SCCM client actions, including when to use them, what they do, and which log files...
How to use Dynamic Azure AD Groups and Filters to Improve Targeting Feature Image

How to Use Dynamic Azure AD Groups and Filters to Improve Targeting

Creating Dynamic Groups in Azure AD is a helpful way to automatically add and remove members to a group. However, when using those groups for...
Update offline configuration manager environments January 2023 tech blog feature image

How to update Offline Configuration Manager Environments – Faster

If you've ever had a Patch My PC demo call or watched a Patch My PC video you've probably seen the Patch My PC demo environment. What you might not...

Writing a Better Network Tester

There are few things more frustrating in IT than troubleshooting weird network problems. Especially when those weird network problems, impact...

MEM Patching Optimizer (Project-Clippy)

MEM Patching Optimizer is a free tool from Patch My PC that helps analyze your WSUS & ConfigMgr environment for known issues and provides...

Win32app Retry Interval – Demystified

Testing installation failure of win32apps, the IntuneManagementExtension.log file and it’s retry schedule on the same device but based on...

Getting started with Microsoft Graph and Win32apps

Have you have been using Intune for a while now, getting to grips with the cool features and “nuances”, and are now ready to dive a little bit...

How to use PowerShell to install Windows updates & ensure long-term compliance

In this post I will walk you through how to install Windows updates and report on patch compliance using Windows PowerShell. We will be using:...

Mastering ConfigMgr Client Actions

In this blog post, we’ll take a deep dive into the various SCCM client actions, including when to use them, what they do, and which log files...

How to Use Dynamic Azure AD Groups and Filters to Improve Targeting

Creating Dynamic Groups in Azure AD is a helpful way to automatically add and remove members to a group. However, when using those groups for...

How to update Offline Configuration Manager Environments – Faster

If you've ever had a Patch My PC demo call or watched a Patch My PC video you've probably seen the Patch My PC demo environment. What you might not...

Writing a Better Network Tester

There are few things more frustrating in IT than troubleshooting weird network problems. Especially when those weird network problems, impact...

MEM Patching Optimizer (Project-Clippy)

MEM Patching Optimizer is a free tool from Patch My PC that helps analyze your WSUS & ConfigMgr environment for known issues and provides...

Win32app Retry Interval – Demystified

Testing installation failure of win32apps, the IntuneManagementExtension.log file and it’s retry schedule on the same device but based on...

Getting started with Microsoft Graph and Win32apps

Have you have been using Intune for a while now, getting to grips with the cool features and “nuances”, and are now ready to dive a little bit...