Microsoft Office Critical Update – CVE-2023-23397

by | Mar 18, 2023 | Blog, Critical Patches

Patch Tuesday Releases

Tech Blogs

Critical Patches

Issue Summary

On March 14th, 2023, Microsoft released an update for Outlook with a criticality of 9.8 out of a maximum of 10. This score indicates that the vulnerability is critical and has the potential to be exploited remotely. This means that the vulnerability can cause complete compromise of the system or application with no direct user interaction. The CVE that is being exploited is CVE-2023-23397.

Microsoft confirmed the magnitude of risk that this vulnerability possesses. It needs immediate attention as the exploit is triggered upon receipt of a malicious email. The attacker can exploit this vulnerability by sending a specifically crafted email that triggers the vulnerability automatically when it is retrieved and processed by the Outlook client. This means that the attacker can gain access to the victim’s environment before the email is even viewed by the recipient user.

Impacted Products

All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook, such as Android, iOS, and Mac Online services’ Microsoft 365 applications, do not support NTLM authentication and are not vulnerable to being affected.

CVE-2023-23397 – Security Update Guide – Microsoft – Microsoft Outlook Elevation of Privilege Vulnerability

How can an attacker exploit this vulnerability?

This vulnerability will provide the attacker access to the victim’s Net-NTLMv2 hash, which they can use to authenticate as the victim on other services. According to Microsoft, to exploit CVE-2023-23397, a message with an extended MAPI property and a UNC path to an SMB (TCP 445) share on a threat actor-controlled server is what an attacker has to send in order to exploit CVE-2023-23397 and collect NTLM hashes. These hacked NTLM hashes can subsequently be utilised in NTLM relay attacks to gain access to corporate networks on a deeper level.

Note: CVE- 2023-23397 is a critical EoP (Escalation of Privilege) vulnerability in Microsoft Outlook.

What is Net-NTLMv2 hash?

Windows New technology LAN Manager (NTLM) is a type of password hash, or hashed login credentials, used by Windows environments for user authentication. In addition to that, it also supports mutual authentication: during the authentication process, both the client and the server confirm each other’s identities for an extra layer of security.

Impact evaluation

Microsoft is offering documentation and a script at CVE-2023-23397 script – Microsoft – CSS-Exchange to help users discover if attackers are attempting to exploit this vulnerability within their virtual environments.

Once this script is run, it is imperative that the output is assessed for potential risk. If a user finds tasks, emails, or calendar items that they cannot positively identify, the items should be immediately reviewed for malicious intent. Per Microsoft’s report, “If objects are detected, they should be removed. If no objects are detected, it is unlikely the organization was targeted via CVE-2023-23397.”

Sources:

Microsoft Mitigates Outlook Elevation of Privilege Vulnerability | MSRC Blog | Microsoft Security Response Center

Client Remediation

Microsoft has published an update to address the issue for the following versions of Outlook:-

Manually Invoke an Office Update Check

Admins can force the Office client to perform an update using the following command, which can be deployed as a script or Proactive Remediation from Intune

"C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe" /update user displaylevel=false forceappshutdown=false

Raunak Desai

Raunak has been using Intune and SCCM since the beginning of his career, is fond of cloud tech, and is eager to learn new technology. Working as a Customer Engineer with Patch My PC, his versatile technical skillset includes handling complex data, technical issues and personnel support tasks in distributed environments. He is also a fantastic cricketer who led a squad for nearly two years in college.

Raunak also writes for the Patch My PC Blog.

Tech Blog

Crowdstrike Debacle: A Love Letter to System Administrators Feature Image

The CrowdStrike Debacle: A Love Letter to System Administrators

Explore lessons from the 2024 CrowdStrike incident. A tribute to system admins and insights on what went wrong, how it was fixed, and preparing for...
SCCM vs WSUS - Blog Feature Image

SCCM Software Updates vs. WSUS Standalone Updates

Comparison of features between WSUS and Configuration Manager for managing updates and the platforms’ pros and cons

Kanban vs Scrum - Introduction to Kaban Feature Image

Introduction to Kanban: A Functional Overview of a Flexible Application of Agile Methodology

Kanban is an extension of Agile that offers flexibility and focus when approaching project management strategy. While initial implementation may...
PowerShell Uses - Feature Image

PowerShell Uses – Things to Start Doing, Things to Stop Doing

There are some things in PowerShell that you need to start doing but also stop doing. What is PowerShell and some of the best practices?

Intune Win32 Apps Guide to Availability and Deadlines Feature Image

Intune Win32 apps: A Strategic Guide to Availability and Deadlines

Discover the ins and outs of Intune Management Extension in our latest blog post. We’re exploring its behavior with scheduled win32 app...

Windows Defender Exploit Guard breaks Google Chrome

Often, blog titles are sensationalised and designed to draw the readers attention. In September 2023, we did actually observe the behavior described...
Discovery Apps - Intune Software Inventory - Feature Image

Discovered Apps – The Intune Software Inventory

Is there an Intune Software Inventory? How does Intune detect apps installed in my tenant? Find out everything you need to know about Discovered...

Intune Scope Tags and Role-Based Access Control Explained

In today's interconnected era, it has become increasingly common for large organizations to have multiple IT departments and workers spread across...

Intune Discovered Apps – Missing Inventory Data

At the tail end of June 2023 and into the first week of July 2023, many admins started to report that application inventory data was missing in...
Intune Discovery Apps - Detecting your applications and gaining back control Feature Image

Intune Discovered Apps – Detecting your applications and gaining back control

Learn more about the power of Intune Discovered Apps for application inventory management. Detect and manage your software inventory...

The CrowdStrike Debacle: A Love Letter to System Administrators

Explore lessons from the 2024 CrowdStrike incident. A tribute to system admins and insights on what went wrong, how it was fixed, and preparing for...

SCCM Software Updates vs. WSUS Standalone Updates

Comparison of features between WSUS and Configuration Manager for managing updates and the platforms’ pros and cons

Introduction to Kanban: A Functional Overview of a Flexible Application of Agile Methodology

Kanban is an extension of Agile that offers flexibility and focus when approaching project management strategy. While initial implementation may...

PowerShell Uses – Things to Start Doing, Things to Stop Doing

There are some things in PowerShell that you need to start doing but also stop doing. What is PowerShell and some of the best practices?

Intune Win32 apps: A Strategic Guide to Availability and Deadlines

Discover the ins and outs of Intune Management Extension in our latest blog post. We’re exploring its behavior with scheduled win32 app...

Windows Defender Exploit Guard breaks Google Chrome

Often, blog titles are sensationalised and designed to draw the readers attention. In September 2023, we did actually observe the behavior described...

Discovered Apps – The Intune Software Inventory

Is there an Intune Software Inventory? How does Intune detect apps installed in my tenant? Find out everything you need to know about Discovered...

Intune Scope Tags and Role-Based Access Control Explained

In today's interconnected era, it has become increasingly common for large organizations to have multiple IT departments and workers spread across...

Intune Discovered Apps – Missing Inventory Data

At the tail end of June 2023 and into the first week of July 2023, many admins started to report that application inventory data was missing in...

Intune Discovered Apps – Detecting your applications and gaining back control

Learn more about the power of Intune Discovered Apps for application inventory management. Detect and manage your software inventory...