On March 14th, 2023, Microsoft released an update for Outlook with a criticality of 9.8 out of a maximum of 10. This score indicates that the vulnerability is critical and has the potential to be exploited remotely. This means that the vulnerability can cause complete compromise of the system or application with no direct user interaction. The CVE that is being exploited is CVE-2023-23397.
Microsoft confirmed the magnitude of risk that this vulnerability possesses. It needs immediate attention as the exploit is triggered upon receipt of a malicious email. The attacker can exploit this vulnerability by sending a specifically crafted email that triggers the vulnerability automatically when it is retrieved and processed by the Outlook client. This means that the attacker can gain access to the victim’s environment before the email is even viewed by the recipient user.
All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook, such as Android, iOS, and Mac Online services’ Microsoft 365 applications, do not support NTLM authentication and are not vulnerable to being affected.
How can an attacker exploit this vulnerability?
This vulnerability will provide the attacker access to the victim’s Net-NTLMv2 hash, which they can use to authenticate as the victim on other services. According to Microsoft, to exploit CVE-2023-23397, a message with an extended MAPI property and a UNC path to an SMB (TCP 445) share on a threat actor-controlled server is what an attacker has to send in order to exploit CVE-2023-23397 and collect NTLM hashes. These hacked NTLM hashes can subsequently be utilised in NTLM relay attacks to gain access to corporate networks on a deeper level.
Note: CVE- 2023-23397 is a critical EoP (Escalation of Privilege) vulnerability in Microsoft Outlook.
What is Net-NTLMv2 hash?
Windows New technology LAN Manager (NTLM) is a type of password hash, or hashed login credentials, used by Windows environments for user authentication. In addition to that, it also supports mutual authentication: during the authentication process, both the client and the server confirm each other’s identities for an extra layer of security.
Microsoft is offering documentation and a script at CVE-2023-23397 script – Microsoft – CSS-Exchange to help users discover if attackers are attempting to exploit this vulnerability within their virtual environments.
Once this script is run, it is imperative that the output is assessed for potential risk. If a user finds tasks, emails, or calendar items that they cannot positively identify, the items should be immediately reviewed for malicious intent. Per Microsoft’s report, “If objects are detected, they should be removed. If no objects are detected, it is unlikely the organization was targeted via CVE-2023-23397.”
Microsoft has published an update to address the issue for the following versions of Outlook:-
- Description of the security update for Outlook 2013: March 14, 2023 (KB5002265) – Microsoft Support
- Description of the security update for Outlook 2016: March 14, 2023 (KB5002254) – Microsoft Support
Manually Invoke an Office Update Check
Admins can force the Office client to perform an update using the following command, which can be deployed as a script or Proactive Remediation from Intune
Raunak has been using Intune and SCCM since the beginning of his career, is fond of cloud tech, and is eager to learn new technology. Working as a Customer Engineer with Patch My PC, his versatile technical skillset includes handling complex data, technical issues and personnel support tasks in distributed environments. He is also a fantastic cricketer who led a squad for nearly two years in college.
Raunak also writes for the Patch My PC Blog.